Racoon stealer being delivered via phish with weaponized RTF document

Racoon Stealer is a newer addition to the daily deluge of malware seen. It first came to market back around April of this year (2019) and has since found a solid user base to spread it. Believed to be developed by people residing within CIS countries, it has multiple capabilities that allow for quick monetization of infected users.

On Oct 30, CofenseLabs began seeing a campaign targeting normal users as well as some people within the utilities industry that would have led to Racoon Stealer infections.  The email takes on the form of a likely fictional sales manager from a Hong Kong based business requesting that a quotation be reviewed.  This is a common theme among lots of phishing examples as business to business communications such as these are normal.

Figure 1 – Example Phish

The attached file purports to be a doc file but upon closer inspection turns out to be an RTF.  We ran it through Philippe Lagadec’s tool, rtfobj, to dump out the parts we were interested in and begin our analysis.

rtfobj output

The RTF appears to be leveraging CVE-2017-8570 to run a sct file.  Opening up the sct file reveals some vbscript that has been peppered with random useless garbage along with the download and execution of a file from a remote resource.

sct file contents

The above url leads to the download of what ultimately is Racoon Stealer. Once racoon is running, it attempts to download a file from Google Drive and then begins checking in to a C2 host.  The initial check-in to the C2 includes a base64 blob in a application/x-www-form-urlencoded.  The base64 decodes in to key value pairs:
– bot_id
– config_id
– data


After check-in, it downloads a sqlite3.dll and libs.zip file from the same C2 host. Racoon will drop a file in \Users\<user>\AppData\Local\Temp named machineinfo.txt. It makes no attempt to hide what file created it as can be seen in the following screenshot of the file.  

While not particularly advanced, Racoon is worth keeping an eye out for as detections at time of discovery for both the RTF as well as the final payload were very low. As it gains more market share and the developers add functionality, it may well become a much bigger problem.


Purchase Order Form.doc: 63b5d555c6dc8be95a5f7d97141090139fcbd34542e3a391c7cd4addb6b80ce6

Download URL:




C2 and Downloads:





All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks.