Raccoon is a malware-as-a-service (MaaS) infostealer that appeared in early 2019, and was aggressively marketed on underground forums from April 2019. Since then, its popularity and use has grown dramatically. It has become one of the top ten most referenced malware in the underground economy, and has infected hundreds of thousands of endpoints across individuals and organizations in North America, Europe and Asia.
Code within Raccoon checks the victim machine’s local settings, and the malware immediately aborts if the language is Russian, Ukrainian, Belarussian, Kazakh, Kyrgyz, Armenian, Tajik, or Uzbek. This is common practice for malware originating in CIS countries, and is one clue that it comes from Russia. A second is that MaaS support is provided in Russian and English; but an English typo suggests that English is not the developers’ native language.
Raccoon, say researchers from Cybereason Nocturnus, is “sold as a MaaS with features like an easy-to-use automated backend panel, bulletproof hosting, and 24/7 customer support in both Russian and English. As of this writing, it costs $200 per month to use.” The primary methods of Raccoon delivery used by the customers are through exploit kits, via phishing attacks, and through bundled malware. The exploit kit used is Fallout, which is used to spawn a PowerShell instance from Internet Explorer. This subsequently downloads the infostealer payload.
Phishing is done with an attached Office document containing malicious macro code. If the attachment is opened and the macro allowed to run, it connects to a malicious server and downloads the payload. As part of bundled software, write the researchers, “the attackers use legitimate software bundled with the main payload of the infostealer to infect unsuspecting users. Raccoon installs itself behind-the-scenes, hidden from the user.”
Raccoon is not the most sophisticated infostealer. It is relatively simple, but does its job well. The analysis by the Nocturnus researchers (who have been monitoring the malware since April 2019) shows that any data it steals is first stored locally in the Temp folder. This includes screen captures, system information (such as username, IP address, language settings, OS version, information on installed apps, and CPU and memory information); user login details, cookies, autofill data — which may include credit card data — from 33 different browser types; registry content such as local username/password couplings; and cryptocurrency wallets. All the stolen data is gathered together into a zip file and sent to the malware’s C2 server.
One feature currently missing is a keylogger. Although this confirms the malware as possibly not the ‘best’ infostealer available, it also indicates why the product is proving so successful. “Several users in the underground community are asking for this feature,” say the researchers, “and the Raccoon team has suggested it may be available in the future.”
Given the experience of other users, this implied promise of a future keylogger will probably be fulfilled — the developers have an excellent reputation for courtesy and response to their customers. In one instance, a user took a free trial period but complained to the developers that there was a bug in the control panel’s search engine: “Had an issue with the control panel’s search engine,” he reported. “Problem was solved immediately, on the fly.” Another user wrote on the underground channels, “What surprised me is the support that treats you as a VIP class client, they will do whatever you demand and with expressing gratitude, etc. it is very nice and I have never seen experienced it anywhere else.”
The underground businessman is clearly learning from and adopting the best business behavioral habits of legitimate business. Malware as a service — or the consumerization of malware — is a growing phenomenon.
The Nocturnus researchers do not know who is behind Raccoon. However, snippets of information found on the underground, and sometimes from what may be termed concerned competitors, suggest that the primary mover is known as gladOff. If this is true, and if it is the same gladOff, he “is,” say the researchers, “a long-time threat actor responsible for developing malware like the Decrux and Acrux cryptominers, the Mimosa RAT and the ProtonBot loader.” His specialty is to develop less sophisticated but easy-to-use, end-to-end solutions — just like Raccoon.
He doesn’t seem to be working alone, but possibly with a loose group of co-workers rather than a tightly knit specific gang. There have been fallings-out within that group — including one person who stole and leaked the Raccoon customer database and another who stole $900 from the Raccoon community balance.
In the latter case, the Raccoon team posted an explanation: “The aforementioned user had access to the intra-team test API (dock), had all the links, had a password from the admin account… Yes, our mistake was that after the reorganization of the team, we did not react quickly enough, no one expected such meanness.” It seems that even cyber criminals fall foul of rookie security errors like not adequately managing their privileged accounts.
Raccoon can be seen as a sign of the times. Malware does not have to be incredibly sophisticated; it must just be sophisticated enough to get the job done. The volume of infected endpoints in just a few months of operation suggests that Raccoon is sophisticated enough. Backed by the new and responsive malware-as-a-service business paradigm, it allows wannabe criminals with low technical ability to become successful cybercriminals for just $200 per month. “We expect this trend to continue into 2020 and push the evolution of MaaS forward,” say the researchers.
Related:Evasive Malware Now a Commodity