Raccoon Stealer, a malware known for its ability to extract sensitive information from victims‘ computers, has recently been observed exploiting the infrastructure of the messaging app Telegram for its command and control (C&C) server addresses. The distribution of this malware occurs through various means, including the utilization of Buer Loader and GCleaner, as well as the dissemination of counterfeit patches, cracks, and cheats targeting popular games such as Fortnite and Valorant. The source code underlying Raccoon Stealer is written in C/C++ and constructed with the aid of Visual Studio, with a size ranging from 580 kb to 600 kb. The code quality is considered below average, featuring some encrypted strings while leaving others unencrypted. Notably, the malware exhibits a checking mechanism to determine the user’s locale before executing, refraining from running if the locale is associated with Belarusian, Ukrainian, Russian, Kazakh, Kyrgyz, Armenian, Tajik, or Uzbek languages. Communication between Raccoon Stealer and its C&C server is facilitated by four essential values embedded within its source code. Avast, a prominent cybersecurity company, has released a comprehensive analysis encompassing the global distribution and propagation of this malware, further identifying two suspected usernames associated with the malware group.
Key Takeaways
- Raccoon Stealer is distributed through Buer Loader, GCleaner, and fake software patches, cracks, and cheats for popular games.
- The source code of Raccoon Stealer is written in C/C++ and built with Visual Studio, with a size ranging from 580 kb to 600 kb. The quality of the source code is below average, with some strings encrypted and some not encrypted.
- Raccoon Stealer checks the user’s locale before executing, and it does not execute in user locales such as Belarusian, Ukrainian, Russian, Kazakh, Kyrgyz, Armenian, Tajik, and Uzbek.
- Raccoon Stealer communicates with a CC server using four crucial values: MAIN_KEY, URLs, BotID, and TELEGRAM_KEY. MAIN_KEY has received four updates, and the URLs are linked to a Telegram channel name.
Distribution Methods
Buer Loader and GCleaner have been identified as the primary malware distribution methods associated with the Racoon Stealer. Additionally, the use of fake patches, cracks, and cheats for popular games like Fortnite, Valorant, and NBA2K22 have also been employed to distribute the malware. The Racoon Stealer malware has been found in samples of fake software, and there are no limits on its distribution. In terms of encryption techniques used in Racoon Stealer, the source code is written in C/C++ and built with Visual Studio. The source code size ranges from 580 kb to 600 kb, with some strings encrypted and some not encrypted. Racoon Stealer also checks the user locale before executing, and there are certain user locales that prevent its execution.
Technical Details
Malware distribution methods for the Racoon Stealer include the use of fake software samples, malware packers, and Themida. These techniques are employed to deceive users into downloading and executing the malicious code. The Racoon Stealer’s source code, primarily written in C/C++ and built with Visual Studio, exhibits below-average quality. Some strings within the code are encrypted, while others remain unencrypted. The encryption techniques used in Racoon Stealer’s source code contribute to its ability to evade detection and analysis. Furthermore, the malware checks the user’s locale before executing, with certain locales, such as Belarusian, Ukrainian, Russian, Kazakh, Kyrgyz, Armenian, Tajik, and Uzbek, preventing the malware from running. This feature suggests that the malware is specifically targeting users from other regions. The impact of user locale on Racoon Stealer’s execution highlights its adaptability and targeted approach.
CC Communications
The CC communications of the Racoon Stealer involve the utilization of four crucial values in the source code, including MAIN_KEY, URLs, BotID, and TELEGRAM_KEY. These values play a significant role in establishing communication between the malware and the command and control (CC) server. The MAIN_KEY is updated regularly to ensure secure communication. The URLs are linked with the Telegram channel name, enabling the malware to access the necessary resources. The BotID, a hexadecimal string, is sent to the CC server every time the malware communicates. Additionally, the TELEGRAM_KEY is used to exploit the Telegram infrastructure for storing the C&C addresses. It is worth noting that the abuse of Telegram infrastructure by Racoon Stealer has severe implications for both the victims and Telegram users. The victims‘ sensitive information can be compromised, leading to potential financial losses and privacy breaches. Furthermore, Telegram users may experience a decline in trust and confidence in the platform’s security measures.
| Value | Purpose |
|---|---|
| MAIN_KEY | Updated regularly for secure communication |
| URLs | Linked with Telegram channel name, facilitates access to necessary resources |
| BotID | Hexadecimal string sent to CC server for each communication |
| TELEGRAM_KEY | Exploited to store C&C addresses in Telegram infrastructure, impacting victims and Telegram users |
Frequently Asked Questions
What is the purpose of Raccoon Stealer malware?
The purpose of raccoon stealer malware is to steal sensitive information from infected devices, including login credentials, credit card details, and cryptocurrency wallets. Users can protect themselves by employing strong security measures and being cautious of suspicious downloads and links. Falling victim to raccoon stealer malware can result in financial loss, identity theft, and compromised online accounts.
How does Raccoon Stealer check user locales before executing?
Raccoon Stealer checks user locales before executing by comparing the user’s locale setting with a list of prohibited locales. If the user’s locale matches any of the prohibited locales, the malware does not execute, thereby preventing targeted attacks on users from those regions.
How does Raccoon Stealer communicate with the CC server?
Raccoon Stealer uses encryption to communicate with the CC server. The source code of Raccoon Stealer contains four crucial values for CC communications: MAIN_KEY, URLs, BotID, and TELEGRAM_KEY. There are no known vulnerabilities in the Telegram infrastructure exploited by Raccoon Stealer.
What updates have been made to the MAIN_KEY in the Raccoon Stealer source code?
The main_key in the Raccoon Stealer source code has received four updates. These updates likely involve changes to the key used for communication with the Command and Control (C&C) server. Additionally, Raccoon Stealer exploits Telegram infrastructure for storing C&C addresses.
What are the suspected usernames related to the Raccoon Stealer malware group that Avast identified?
The suspected usernames related to the raccoon stealer malware group, as identified by Avast, are ‚andrewklychkov‘ and ‚andreycog‘. These usernames are linked to the activities and operations of the malware group.
