Racoon Stealer is a newer addition to the daily deluge of malware seen. It first came to market back around April of this year (2019) and has since found a solid user base to spread it. Believed to be developed by people residing within CIS countries, it has multiple capabilities that allow for quick monetization of infected users.
On Oct 30, CofenseLabs began seeing a campaign targeting normal users as well as some people within the utilities industry that would have led to Racoon Stealer infections. The email takes on the form of a likely fictional sales manager from a Hong Kong based business requesting that a quotation be reviewed. This is a common theme among lots of phishing examples as business to business communications such as these are normal.
Figure 1 – Example Phish
The attached file purports to be a doc file but upon closer inspection turns out to be an RTF. We ran it through Philippe Lagadec’s tool, rtfobj, to dump out the parts we were interested in and begin our analysis.
The RTF appears to be leveraging CVE-2017-8570 to run a sct file. Opening up the sct file reveals some vbscript that has been peppered with random useless garbage along with the download and execution of a file from a remote resource.
The above url leads to the download of what ultimately is Racoon Stealer. Once racoon is running, it attempts to download a file from Google Drive and then begins checking in to a C2 host. The initial check-in to the C2 includes a base64 blob in a application/x-www-form-urlencoded. The base64 decodes in to key value pairs:
After check-in, it downloads a sqlite3.dll and libs.zip file from the same C2 host. Racoon will drop a file in \Users\<user>\AppData\Local\Temp named machineinfo.txt. It makes no attempt to hide what file created it as can be seen in the following screenshot of the file.
While not particularly advanced, Racoon is worth keeping an eye out for as detections at time of discovery for both the RTF as well as the final payload were very low. As it gains more market share and the developers add functionality, it may well become a much bigger problem.
Purchase Order Form.doc: 63b5d555c6dc8be95a5f7d97141090139fcbd34542e3a391c7cd4addb6b80ce6
C2 and Downloads: