Raccoon Stealer Bundles Malware, Propagates Via Google SEO


Level 85
Thread author
Top poster
Content Creator
Malware Hunter
Aug 17, 2014
Criminals behind the Raccoon Stealer platform have updated their services to include tools for siphoning cryptocurrency from a target’s computer and new remote access features for dropping malware and scooping up files.

The stealer-as-a-service platform, whose customers are typically rookie hackers, offers turnkey services for pilfering browser-stored passwords and authentication cookies. According to new research from Sophos Labs published Tuesday, the platform has received a noteworthy update that includes new tools and distribution networks to boost infected targets.

For starters, Raccoon Stealer has pivoted from inbox-based infections to ones that leverage Google Search. According to Sophos, threat actors have been proficient in their optimization of malicious web pages to rank high in Google search results. The bait to lure victims in this campaign is software pirating tools such as programs to “crack” licensed software for illicit use or “keygen” programs that promise to generate registration keys to unlock licensed software.

“While the sites advertised themselves as a repository of ‘cracked’ legitimate software packages, the files delivered were actually disguised droppers. Clicking on the links to a download connected to a set of redirector JavaScripts hosted on Amazon Web Services that shunt victims to one of multiple download locations, delivering different versions of the dropper,” wrote Yusuf Polat and Sean Gallagher, both senior threat researchers at Sophos, who authored the report.
What is unique about Raccoon Stealer is that, unlike other info-stealer services and malware targeting individuals via inboxes, the campaign Sophos tracked is distributed via malicious websites.

Researchers said that victims falling for the ploy download a first-stage payload of an archive. The archive contains another password-protected archive and a text document containing a password used later in the infection chain. “The archive containing the ‘setup’ executable is password-protected to evade malware scanning,” they wrote.

Eventually, opening the executable delivers self-extracting installers. “They have signatures associated with self-extracting archives from tools such as 7zip or Winzip SFX, but cannot be unpacked by these tools. Either the signatures have been faked, or the headers of the files have been manipulated by the actors behind the droppers to prevent unpacking without execution,” Sophos wrote.

Sophos said malware delivered to the victim can include:
  • Crypto-miners
  • “Clippers” (malware which steal cryptocurrencies by modifying the victim’s system clipboard during transactions and changing the destination wallet)
  • Malicious browser extensions
  • YouTube click-fraud bots
  • Djvu/Stop (a ransomware targeted primarily at home users)