With additional insights/analysis from Augusto Remillano II and Don Ovid Ladores
Raccoon emerged as Malware as a Service (MaaS) last April 2019. Despite its simplicity, Raccoon became popular among cybercriminals and was mentioned as a notable emerging malware in underground forums in a malware popularity report.
The malware is capable of stealing login credentials, credit card information, cryptocurrency wallets, and browser information. Raccoon has basic infostealer functions but an aggressive marketing campaign and overall good user experience proved enough to make up for its lack of additional features. The service is also relatively cheap, with a price that ranged from US$75 per week to $200 per month.
It can arrive on a system through different delivery techniques such as exploit kits, phishing, and bundled with other malware. In this blog entry we investigate campaigns that used the exploit kits Fallout and Rig, where we also observed its use of Google Drive as part of its evasion tactics.
Exploit kits
We have recorded the Rig exploit kit and two cases that used the Fallout exploit kits being used to drop the Raccoon stealer in July and October 2019. The infection chain of these three cases are summarized in the table below.
Fallout October 31, 2019
Fallout October 10, 2019
Rig July 15, 2019
Arrival
Malvertisementmaximili[.]com (173.254.98.143)
Malvertisementhxxps://biome.es/php.php (31.31.198.19)
Ad Networkhxxp://p201298[.]mybetterdl[.]com/adServe/domainClick?{redacted}hxxp://mybetterdl[.]com/aS/feedclick?{redacted}
Redirector
hxxps://coliqiou[.]com/gzJrZZ?&se_referrer= (5.188.60.95)
hxxp://makemoneyeazywith[.]me/?utm_trc=ASIA{redacted}
EK URL
hxxp://getyourfree[.]cloud/3966/rerelease-8383/24-07-1920[.]aspx (134.209.185.112)
hxxps://germanrights4u[.]com/2010-03-08/ypiNv/unengaged?PdohQ=UEmE (104.248.32.22)
hxxp://185[.]246[.]65[.]115/?MzkxMTg3&pbcHJYg&Cb{redacted}
Racoon malware dropped (SHA256)
c0127722274b1b821443ee5d6a8f59 ..
Support the originator by clicking the read the rest link below.
