- Aug 17, 2014
A credential stealer that first rose to popularity a couple of years ago is now abusing Telegram for command-and-control (C2). A range of cybercriminals continue to widen its attack surface through creative distribution means like this, researchers have reported.
Raccoon Stealer, which first appeared on the scene in April 2019, has added the ability to store and update its own actual C2 addresses on Telegram’s infrastructure, according to a blog post published by Avast Threat Labs this week. This gives them a “convenient and reliable” command center on the platform that they can update on the fly, researchers said.
The malware – believed to be developed and maintained by Russia-affiliated cybercriminals – is at its core a credential stealer but is capable of a range of nefarious activity. It can steal not only passwords but also cookies, saved logins and forms data from browsers, login credentials from email clients and messengers, files from crypto wallets, data from browser plugins and extensions, and arbitrary files, based on commands from its C2.
“In addition, it’s able to download and execute arbitrary files by command from its C2,” Avast Threat Labs researcher Vladimir Martyanov wrote in the post. This, in combination with active development and promotion on underground forums, makes Raccoon Stealer “prevalent and dangerous,” he said.
The credential-stealing trash panda is using the chat app to store and update C2 addresses as crooks find creative new ways to distribute the malware.