We recently came across a stealer, called
Raccoon Stealer, a name given to it by its author. Raccoon Stealer uses the
Telegram infrastructure to store and update actual
Raccoon Stealer is a password stealer capable of stealing not just passwords, but various types of data, including:
- Cookies, saved logins and forms data from browsers
- Login credentials from email clients and messengers
- Files from crypto wallets
- Data from browser plugins and extension
- Arbitrary files based on commands from C&C
In addition, it’s able to download and execute arbitrary files by command from its C&C. In combination with active development and promotion on underground forums, Raccoon Stealer is prevalent and dangerous.
The oldest samples of Raccoon Stealer we’ve seen have timestamps from the
end of April 2019. Its authors have stated the same month as the start of selling the malware on underground forums. Since then, it has been updated many times. According to its authors, they fixed bugs, added features, and more.
We’ve seen Raccoon distributed via downloaders:
Buer Loader and
GCleaner. According to some samples, we believe it is also being distributed in the form of
fake game cheats,
patches for cracked software (including hacks and mods for
NBA2K22), or other software. Taking into account that Raccoon Stealer is for sale, it’s distribution techniques are limited only by the imagination of the end buyers. Some samples are spread unpacked, while some are protected using
Themida or malware packers. Worth noting is that some samples were packed more than five times in a row with the same packer!
Raccoon Stealer is written in
C/C++ and built using
Visual Studio. Samples have a size of about
580-600 kB. The code quality is below average, some strings are encrypted, some are not.
Once executed, Racoon Stealer starts checking for the default user locale set on the infected device and won’t work if it’s one of the following:
The most interesting thing about this stealer is its communication with C&Cs. There are four values crucial for its C&C communication, which are hardcoded in every Raccoon Stealer sample:
MAIN_KEY. This value has been changed four times during the year.
URLsof Telegram gates with channel name. Gates are used not to implement a complicated Telegram protocol and not to store any credentials inside samples
BotID– hexadecimal string, sent to the C&C every time
TELEGRAM_KEY– a key to decrypt the C&C address obtained from Telegram Gate
Let’s look at an example to see how it works:
447c03cc63a420c07875132d35ef027adec98e7bd446cf4f7c9d45b6af40ea2b unpacked to:
- First of all,
MAIN_KEYis decrypted. See the decryption code in the image below:
In this example, the
jY1aN3zZ2j. This key is used to decrypt Telegram Gates
- This example decodes and decrypts Telegram Gate URLs. It is stored in the sample as:
After decoding Base64 it has this form:
Decrypting this binary data with
MAIN_KEY gives us a string with Telegram Gates:
- The stealer has to get it’s real C&C. To do so, it requests a Telegram Gate, which returns an HTML-page:
Here you can see a Telegram channel name and its status in Base64:
The prefix (always five characters) and postfix (always six characters) are removed and it becomes
mD/ry6GYdwNuXl10SYoVBR7/tFgp The Base64 is then decoded to obtain an encrypted C&C URL:
TELEGRAM_KEY in this sample is a string
739b4887457d3ffa7b811ce0d03315ce and the Raccoon uses it as a key to
RC4 algorithm to finally decrypt the C&C URL:
- Raccoon makes a query string with PC information (machine GUID and user name), and
- Query string is encrypted with
MAIN_KEYand then encoded with Base64.
- This data is sent using POST to the C&C, and the response is encoded with Base64 and encrypted with the
MAIN_KEY. Actually, it’s a JSON with a lot of parameters and it looks like this:
Thus, the Telegram infrastructure is used to store and update actual C&C addresses. It looks quite convenient and reliable until Telegram decides to take action.
The people behind Raccoon Stealer
Based on our analysis of seller messages on underground forums, we can deduce some information about the people behind the malware. Raccoon Stealer was developed by a team, some (or maybe all) members of the team are Russian native speakers. Messages on the forum are written in Russian, and we assume they are from former USSR countries because they try to prevent the Stealer from targeting users in these countries.
Possible names/nicknames of group members may be supposed based on the analysis of artifacts, found in samples:
Raccoon Stealer is quite prevalent: from
March 3, 2021 - February 17, 2022 our systems detected
more than 25,000 Raccoon-related samples. We identified
more than 1,300 distinct configs during that period.
Here is a map, showing the number of systems Avast protected from Raccoon Stealer from
March 3, 2021 - February 17, 2022. In this time frame, Avast protected nearly
600,000 Raccoon Stealer attacks.
The country where we have blocked the most attempts is Russia, which is interesting because the actors behind the malware don’t want to infect computers in Russia or Central Asia. We believe the attacks spray and pray, distributing the malware around the world. It’s not until it makes it onto a system that it begins checking for the default locale. If it is one of the language listed above, it won’t run. This explains why we detected so many attack attempts in Russia, we block the malware before it can run, ie. before it can even get to the stage where it checks for the device’s locale. If an unprotected device that comes across the malware with its locale set to English or any other language that is not on the exception list but is in Russia, it would stiIl become infected.
From the more than 1,300 distinct configs we extracted, 429 of them are unique Telegram channels. Some of them were used only in a single config, others were used dozens of times. The most used channels were:
jdiamond13– 122 times
jjbadb0y– 44 times
nixsmasterbaks2– 31 times
hellobyegain– 25 times
h_smurf1kman_1– 24 times
Thus, five of the most used channels were found in about
19% of configs.
Malware distributed by Raccoon
As was previously mentioned, Raccoon Stealer is able to download and execute arbitrary files from a command from C&C. We managed to collect some of these files. We collected
185 files, with a total size
265 Mb, and some of the groups are:
Downloaders– used to download and execute other files
Clipboard crypto stealers– change crypto wallet addresses in the clipboard – very popular (more than 10%)
Servers used to download this software
We extracted unique links to other malware from Raccoon configs received from C&Cs, it was
196 unique URLs. Some analysis results:
43%of URLs have
83 domain nameswere used.
20% of malwarewere placed on
10%were served from
We will continue to monitor Raccoon Stealer’s activity, keeping an eye on new C&Cs, Telegram channels, and downloaded samples. We predict it may be used wider by other cybercrime groups. We assume the group behind Raccoon Stealer will further develop new features, including new software to steal data from, for example, as well as bypass protection this software has in place.