# New Generation of Raccoon Stealer v2

**[zscaler.com/blogs/security-research/raccoon-stealer-v2-latest-generation-raccoon-family](https://www.zscaler.com/blogs/security-research/raccoon-stealer-v2-latest-generation-raccoon-family)**

## Introduction

Raccoon is a malware family that has been sold as malware-as-a-service on underground
forums since early 2019. In early July 2022, a new variant of this malware was released.
The new variant, popularly known as Raccoon Stealer v2, is written in C unlike previous
versions which were mainly written in C++.

The Raccoon Malware is a robust stealer that allows stealing of data such as passwords,
cookies, and autofill data from browsers. Raccoon stealers also support theft from all
cryptocurrency wallets.

In this blog, ThreatLabz will analyze Raccoon Stealer v2 in the exe format, and highlight key
differences from its predecessors. The authors of the Raccoon Stealer malware have
announced that other formats are available, including DLLs and embedded in other PE files.

## Detailed Analysis

Raccoon v2 is an information stealing malware that was first seen on 2022-07-03. The
malware is written in C and assembly.

Though we noticed a few new features in the newer variant as mentioned below, the data
stealing mechanism is still the same as is seen in its predecessor:

1. Base64 + RC4 encryption scheme for all string literals
2. Dynamic Loading Of WinAPI Functions


-----

3. Discarded the dependence on Telegram API

We have noticed a significant change in the way list of command and control servers is
obtained. The Raccoon Malware v1 was seen abusing the Telegram network to fetch the list
of command and control servers, whereas the newer variant has abandoned the use of
Telegram. Instead, they use a hardcoded IP address of a threat-actor-controlled server to
fetch the list of command and control servers from where the next stage payload (mostly
DLLs) is downloaded.

## File Information

**Malware Name: Raccoon Stealer v2**
**Language: C**
**File Type: exe**
**File Size: 56832**
**MD5: 0cfa58846e43dd67b6d9f29e97f6c53e**
**SHA1: 19d9fbfd9b23d4bd435746a524443f1a962d42fa**
**SHA256: 022432f770bf0e7c5260100fcde2ec7c49f68716751fd7d8b9e113bf06167e03**

## Debug Information

The analyzed file has debug data intact. According to the Debug headers compilation date
was Thursday, 26/05/2022 13:58:25 UTC as shown in Figure 1.

_Figure 1: Raccoon v2 Debug Headers_

We have also seen a change in how Raccoon Stealer v2 hides its intentions by using a
mechanism where API names are dynamically resolved rather than being loaded statically.
The stealer uses LoadLibraryW and GetProcAddress to resolve each of the necessary
functions (shown in Figure 2). The names of the DLLs and WinAPI functions are stored in
the binary as clear text.


-----

_Figure 2: Raccoon v2 dynamic resolution_

**List Of Loaded DLLs**

1. kernel32.dll
2. Shlwapi.dll
3. Ole32.dll
4. WinInet.dll
5. Advapi32.dll
6. User32.dll
7. Crypt32.dll
8. Shell32.dll

Raccoon v1 did not employ dynamic resolution for used functions, therefore packed
samples were often observed in the wild to evade detection mechanisms. Conversely,
Raccoon v2 is often delivered unpacked. Figure 3 shows the imported DLLs for raccoon v1.


-----

_Figure 3: Raccoon Stealer v1 imports (unpacked)_

Once resolution of functions is done, the stealer will run its string decryption routine. The
routine is simple. RC4 encrypted strings are stored in the sample with base64 encoding.
The sample first decodes the base64 encoding and then decrypts the encrypted string with
the key ‘edinayarossiya’. This routine is followed for all the strings in function
**string_decryption(). The 'string_decryption' routine is shown in Figure 4.**

_Figure 4: Raccoon v2 String Decryption Routine_

Previous versions of Raccoon Stealer did not encrypt string literals other than hard coded
IP addresses. The Raccoon v2 variant overcomes this by encrypting all the plain text
strings. Several of the plaintext strings of Raccoon v1 are shown in Figure 5.


-----

_Figure 5: Plaintext Strings In Raccoon v1_

After manual decryption of the Raccoon v1 sample strings, the following (Figure 6 and
Figure 7) strings were obtained in plaintext format.


-----

_Figure 6: Raccoon v2 Decrypted Strings_

_Figure 7: Raccoon v2 Decrypted Strings_

The command and control IP addresses are saved in the malware and follow the same
decryption routine but have a different key, 59c9737264c0b3209d9193b8ded6c127. The IP
address contacted by the malware is ‘hxxp://51( )195( )166( )184/’ The decryption routine


-----

is shown in Figure 8.

_Figure 8: IP Address Decryption Raccoon v2_

## Decrypting Command and Control IP Address

The encrypted command and control IP Address can be easily decrypted by using public
tools such CyberChef as shown in Figure 9.

_Figure 9: Raccoon v2 IP Address (via cyberchef utils)_

This technique is common between both versions of the malware. Figure 10 shows the
same routine employed in Raccoon v1.


-----

_Figure 10: Raccoon v1 setting up overhead before IP Address decryption_

Once all the overhead of setting up the functions and decryption of the strings is done, the
malware will perform some checks before contacting the command and control server to
download malicious DLLs and exfiltrate information.

## Overhead Before Exfiltration

Before executing the core of the malware, certain checks are made to understand the
execution environment. This includes making sure the malware isn't already running on the
machine. Further the malware also checks if it's running as NT Authority/System.

The malware gets a handle on mutex and checks if it matches a particular value or not. If it
matches, the malware continues execution.

**Value: 8724643052.**

This technique is used to make sure only one instance of malware is running at one time.
Figure 11 depicts the Mutex check and creation for Raccoon v2, while Figure 12 depicts the
similar procedure used in Raccoon v1.

_Figure 11: Raccoon v2 Mutex Check_


-----

_Figure 12: Raccoon v1 Mutex Check_

By retrieving the Process token and matching the text "S-1-5-18," as shown in Figure 13,
the malware determines if it is or is not operating as the SYSTEM user.

_Figure 13: Raccoon v2 Enumerating Process Token_

If running as a SYSTEM user, the enumeration of all the running processes is done with the
help of fun_CreateToolhelp32Snapshot. Otherwise, the malware moves forward without
the enumeration. Figure 14 shows the 'enumerate_processes()' function being called while
Figure 15 shows the malware iterating over the Processes.


-----

_Figure 14: Raccoon v2 Enumerate Process_

_Figure 15: Raccoon v2 Iterating Process Struct_

## Fingerprinting Host

Once the malware is aware of the environment in which it's running, it starts to fingerprint
the host. This malware uses functions such as:

1. RegQueryValueExW for fetching machine ID
2. GetUserNameW

Figure 16 depicts the malware retrieving the Machine ID from the registry key
"SOFTWAREMicrosoftCryptography" via the RegQueryKeyExW and
**RegQueryValueExW functions. Figure 17 depicts malware using the GetUserNameW**
function to retrieve a username.


-----

_Figure 16: Raccoon v2 Fetching MachineID_

_Figure 17: Raccoon v2 Fetching Username_


-----

_Figure 18: Raccoon v2: Username Buffer_

After all this is done, the malware will enumerate information such as MACHINE ID and
**username and then send the data to the remote command and control server.**

For this purpose, the malware creates a char string and starts appending these values to it.
It starts by adding machine id and username. Figure 19 shows the built payload in buffer.

_Figure 19: Raccoon v2: Fingerprinting Payload_

Next, it generates and appends configId which is the rc4 encryption key.

**machineId=<MachineGuid>|<UserName>&configId=<RC4 key>**


-----

## Communications with Command and Control

Communication with command and control takes place over plain text http protocol. The
previously decrypted IP address hxxp://51(.)195(.)166(.)184/ is used for command and
control communication.

The malware contacts the list of previously decrypted command and control IP addresses
(stored in local_3c). Since this malware only contains one command and control IP
Address, the post request is only made to one as seen in Figure 20.

_Figure 20: Raccoon v2: Command and Control communication_

**Command and Control URL**

_Figure 21: Raccoon v2 URL in buffer_

**Request Headers**


-----

_Figure 22: Raccoon v2 Request Headers_

Once the request has been made, the malware checks if the content body length is zero or
not. If no content is received from command and control or the content body length is zero,
the malware exits. This check is made because the exfiltration mechanism of the malware
requires command and control to respond with a list IP Addresses to exfiltrate data to. In
Figure 23, this condition can be seen along with the 'ExitProcess()' function call.


-----

_Figure 23: Raccoon v2 Verifying Response Content_

## Discarded the dependence on Telegram bot

The Raccoon v1 relied on the Telegram Bot API description page to fetch command and
control IP addresses and establish connections. The recent malware variants (v2) from this
family have started to hard-code IP addresses in the binary to achieve this task. Raccoon
Malware v2 uses 5 hard coded IP addresses and iterates over them.

## Data Exfiltration

The malware relies on response from command and control server to down the required
DLLs and decides on the next course of action.

As of the writing of this blog the command and control IP has died, thus analysis of traffic
towards the host is not possible. ThreatLabz has previously observed that the command
and control server provides information on where to download additional payloads from and
which IP Address to use for further communications.

_Figure 24: Raccoon v2 pinging extracted IP Address_

**Grepped DLLs**

_Figure 25: Raccoon v2 DLLs that are downloaded_

The malware uses a WINAPI call to SHGetFolderPathW to get a path to C:\Users\
**<User>\AppData and appends “Local” to it and uses it as the path to store stolen**
information before sending it to the command and control.


-----

_Figure 26: Raccoon v2 Storage Path In Buffer_

## Indicators Of Compromise

**IP contacted by the analyzed sample of Raccoon v2.**

55(.)195(.)166(.)184

[List Of Other IPs that act as an C2 for other samples can be found here.](https://pastebin.com/RD0HRVw3)

**Downloaded DLLs**

1. nss3.dll
2. sqlite3.dll
3. GdiPlus.dll
4. Gdi32.dll

**Path Used By the Malware**

1. C:\Users\<USERNAME>\AppData\Local

**Other samples observed in the wild of Raccoon v2.**

1. 0123b26df3c79bac0a3fda79072e36c159cfd1824ae3fd4b7f9dea9bda9c7909
2. 022432f770bf0e7c5260100fcde2ec7c49f68716751fd7d8b9e113bf06167e03
3. 048c0113233ddc1250c269c74c9c9b8e9ad3e4dae3533ff0412d02b06bdf4059
4. 0c722728ca1a996bbb83455332fa27018158cef21ad35dc057191a0353960256
5. 2106b6f94cebb55b1d55eb4b91fa83aef051c8866c54bb75ea4fd304711c4dfc
6. 263c18c86071d085c69f2096460c6b418ae414d3ea92c0c2e75ef7cb47bbe693
7. 27e02b973771d43531c97eb5d3fb662f9247e85c4135fe4c030587a8dea72577
8. 2911be45ad496dd1945f95c47b7f7738ad03849329fcec9c464dfaeb5081f67e
9. 47f3c8bf3329c2ef862cf12567849555b17b930c8d7c0d571f4e112dae1453b1
10. 516c81438ac269de2b632fb1c59f4e36c3d714e0929a969ec971430d2d63ac4e

11. 5d66919291b68ab8563deedf8d5575fd91460d1adfbd12dba292262a764a5c99
12. 62049575053b432e93b176da7afcbe49387111b3a3d927b06c5b251ea82e5975
13. 7299026b22e61b0f9765eb63e42253f7e5d6ec4657008ea60aad220bbc7e2269
14. 7322fbc16e20a7ef2a3188638014a053c6948d9e34ecd42cb9771bdcd0f82db0


-----

15. 960ce3cc26c8313b0fe41197e2aff5533f5f3efb1ba2970190779bc9a07bea63
16. 99f510990f240215e24ef4dd1d22d485bf8c79f8ef3e963c4787a8eb6bf0b9ac
17. 9ee50e94a731872a74f47780317850ae2b9fae9d6c53a957ed7187173feb4f42
18. bd8c1068561d366831e5712c2d58aecb21e2dbc2ae7c76102da6b00ea15e259e
19. c6e669806594be6ab9b46434f196a61418484ba1eda3496789840bec0dff119a
20. e309a7a942d390801e8fedc129c6e3c34e44aae3d1aced1d723bc531730b08f5
21. f7b1aaae018d5287444990606fc43a0f2deb4ac0c7b2712cc28331781d43ae27

## Conclusion

Raccoon Stealer sold as Malware-as-a-Service has become popular over the past few
years, and several incidents of this malware have been observed. The Authors of this
malware are constantly adding new features to this family of malware. This is the second
major release of the malware after the first release in 2019. This shows that the malware is
likely to evolve and remain a constant threat to organizations.

## Zscaler coverage

We have ensured coverage for the payloads seen in these attacks via advanced threat
signatures as well as our advanced cloud sandbox.

_Figure 27: Zscaler Sandbox Detection_

Zscaler's multilayered cloud security platform detects indicators at various levels, as shown
below:

**[Win32.PWS.Raccoon](https://threatlibrary.zscaler.com/threats/6138de3d-405e-46b3-a360-7689aef9e2ed)**


-----

-----