Raccoon infostealer malware

Original Issue Date:- August 22, 2023
Virus Type:-infostealer malware
Severity:- Medium

It has been reported that a new variant of Raccoon Stealer malware is spreading across the globe with malicious activities. The malware can steal a variety of sensitive information including user data, credentials, browser information, bank account details, and cryptocurrency wallet information.

The new iteration of Raccoon emphasizes the heightened risk to sectors like finance, which are attractive targets for cyberattacks and financial fraud. The updated malware is more user-interactive and includes advanced functionalities like malware-as-a-service (MaaS).

Infection Mechanism:

As observed, the malware is focused on over 60 applications, such as Google Chrome, Opera, Outlook, Electrum, and others, utilizing specialized methods to extract and collect data.

The below cycle is executed by Raccoon to target users, which includes the following steps:

  • Extracting the application file containing sensitive data.
  • Copying the file to a designated folder (%Temp%).
  • Creating and saving a text file that holds stolen information in the target application's folder.

Raccoon downloads the associated DLLs to obtain and decrypt application credentials.

Once it has efficiently extracted data and information, Raccoon proceeds to aggregate all the files into a freshly generated folder named "Log.zip". Subsequently, the files are dispatched to its pre-configured C&C server, eradicating any traces of infection in the process.

Fig: Log.zip Folder Created by Raccoon to Store Stolen Information (Source: Cyberint)

As this type of malware steals credentials and cookies, threat actors could potentially use the stolen session cookies to bypass multi-factor authentication and gain access to corporate networks. Once a foothold is established within the network, a range of attacks, such as data theft, ransomware, BEC scams, and cyber espionage, could be initiated.

Indicator of Compromise:

  • 195.201.225[.]248 – Resolves to telete[.]in and related domains
  • 95.216.186[.]40 – Resolves to tttttt[.]me and related domains
  • 012e382049b88808e2d0b26e016dc189f608deea9b6cc993ce24a57c99dd93d1
  • 18c27b85f26566dd782171e00ea5b5872546b23526cca0ebb185caca35fdec93
  • 24499fbfd8a2b2663899841f3cf424b60d60c26351b5d491fd475adf9e301256
  • telete[.]in – Initial ‘call home’ to an unofficial Telegram service
  • telecut[.]in – Suspicious domain related to telete[.]in
  • tgraph[.]io – Suspicious domain related to telete[.]in

For more detailed list of IoC, kindly refer the below URL:

Removal tools:

CSK Free Bot Removal Tool (FBRT) utility may be used to detect and remove specific malware/viruses from your affected Windows digital devices.

Best Practices and Recommendations:

  • Password managers should be used instead of storing credentials on the browser.
  • Multi-factor authentication should be enabled on all accounts.
  • Reduce the risk of downloading potentially harmful apps by limiting your download sources to official app stores, such as your device’s manufacturer or operating system app store.
  • Prior to downloading / installing apps on android devices (even from Google Play Store):
    • Always review the app details, number of downloads, user reviews, comments and "ADDITIONAL INFORMATION" section.
    • Verify app permissions and grant only those permissions which have relevant context for the app's purpose.
    • Do not check "Untrusted Sources" checkbox to install side loaded apps.
  • Install Android updates and patches as and when available from Android device vendors.
  • Permissions should also be given carefully.
  • Do not browse un-trusted websites or follow un-trusted links and exercise caution while clicking on the link provided in any unsolicited emails and SMSs.
  • Install and maintain updated anti-virus and antispyware software.
  • Look for suspicious numbers that don't look like real mobile phone numbers. Scammers often mask their identity by using email-to-text services to avoid revealing their actual phone number. Genuine SMS messages received from banks usually contain sender id (consisting of bank’s short name) instead of a phone number in sender information field.
  • Do extensive research before clicking on link provided in the message. There are many websites that allow anyone to run search based on a phone number and see any relatable information about whether or not a number is legit.
  • Only click on URLs that clearly indicate the website domain. When in doubt, users can search for the organisation's website directly using search engines to ensure that the websites they visited are legitimate.
  • Consider using Safe Browsing tools, filtering tools (antivirus and content-based filtering) in your antivirus, firewall, and filtering services.
  • Exercise caution towards shortened URLs, such as those involving bit.ly and tinyurl. Users are advised to hover their cursors over the shortened URLs (if possible) to see the full website domain which they are visiting or use a URL checker that will allow the user to enter a short URL and view the full URL. Users can also use the shortening service preview feature to see a preview of the full URL.
  • Look out for valid encryption certificates by checking for the green lock in the browser's address bar, before providing any sensitive information such as personal particulars or account login details.
  • Customer should report any unusual activity in their account immediately to the respective bank with the relevant details for taking further appropriate actions.