[BACK](https://www.group-ib.com/blog/) [РУССКИЙ](https://www.group-ib.ru/blog) [РУССКИЙ](https://www.group-ib.ru/blog) ENG ENG 0 7.1 2 . 2 0 2 0 # The footprints of Raccoon: a story about operators of JS-sniffer FakeSecurity distributing Raccoon stealer ----- ###### Nikita Rostovcev Threat Intelligence & Attribution analyst at Group-IB ----- on one of underground forums (translation is provided below) Translation: Raccoon Stealer. We steal, You deal! Our team proudly presents the result of many months of work. Stealing logs has never been so easy and straightforward and sorting them as never been so fast and comfortable. We deal with all the frustrating, time-consuming, and tedious issues so that you can focus on what's important: increasing your revenue. Forget about routing and maintaining servers, assembling builds, and other problems. We've gone automatic — all you need is a few clicks. Our specialists work in three areas: software, front-end, and back-end. It helps us focus on specific goals and release a complete product. New software: Exclusive code. Unique build C/C++ stealer with enhanced performance Excellent signal for each entry; only some antivirus software detects Raccoon during dynamic testing Raccoon collects passwords, cookies, autofill data from all popular browsers (including FireFox x64), CC data, system information, and almost all types of desktop crypto wallets Embedded downloader ----- You get an easy-to-encrypt Native x86 executable file Private key, gate address, and other string values are heavily encrypted ----- FakeSecurity's malicious campaign from February to September 2020 ###### Group-IB experts concluded that the purpose of the campaign in question was to steal payment and user data. The attackers used several attack vectors and tools to deliver the malware. It was also discovered that in early 2020, before distributing the Raccoon stealer, the attackers had distributed samples of another stealer called Vidar. To do so, they used attachments with malicious macros and phishing pages created with the Mephistophilus phishing kit. ----- malicious campaigns of hacker group FakeSecurity ----- of FakeSecurity's malicious campaigns ----- #### First wave ###### The first wave of domain registrations began in the co.za zone on February 19, 2020. The suspicious domains contained the following keywords: cloud, document, and Microsoft. Examples of domains registered during the first wave are presented below: ###### msupdater[.]co.za 2020-02-19 documents-cloud-server[.]co.za 2020-03-05 cloudupdate[.]co.za 2020-02-21 ###### As part of the campaign's first wave, the initial compromise vector used: (i) mailings with attachments containing malicious macros and (ii) phishing pages leading to malware downloading. #### Documents with macros ----- ###### (SHA1: b1799345152f0f11a0a573b91093a1867d64e119) was uploaded to VirusTotal via a US web interface. SHA1: b1799345152f0f11a0a 573b91093a1867d64e119 lure document. Alert says: "SECURITY WARNING. Macros have been disabled. "Enable content."" ###### The file is a lure document with malicious macros. When activated, it downloads a payload from http://cloudupdate.co[.]za/documents/msofficeupdate.exe. ----- contained in lure document and partially obfuscated in Base64 ----- the domain badlandsparks[.]com established with the help of Group-IB Graph Network Analysis ###### These files include "13b7afe8ee87977ae34734812482ca7efd62b9b6" and "596a3cb4d82e6ab4d7223be640f614b0f7bd14af". They create a network connection to gineuter[.]info, fastandprettycleaner[.]hk and badlandsparks[.]com. Judging by the requests they make to download libraries and open source data, the file "msofficeupdate.exe" and others like it are samples of the Vidar stealer. Criminals use the stealer to collect data from browsers (including web browsing history and account data), bank card data, crypto wallet files, messages, and more. ----- panel SHA1: 596a3cb4d82e6ab4d 7223be640f614b0f7bd14af file network communication built with the help of GroupIB Graph Network Analysis ###### A list of Vidar-specific HTTP requests and a detailed overview are available here: ----- / (i.e 162) <- Config ip-api.com/line/ <- Get Network Info /msvcp140.dll <- Required DLL /nss3.dll <- Required DLL /softokn3.dll <- Required DLL /vcruntime140.dll <- Required DLL / <- Pushing Victim Archive to C2 ###### The file "BankStatement1.xlsm" (SHA1: c2f8d217877b1a28e4951286d3375212f8dc2335) is another lure document with malicious macros. When activated, it downloads the file from http://download-plugin[.]co.za/documents/msofficeupdate.exe. The download file SHA1: 430a406f2134b48908363e473dd6da11a172a7e1 is also a Vidar stealer. The file is available for download here: • http://download-plugin.co[.]za/documents/msofficeupdate.exe • http://msupdater.co[.]za/documents/msofficeupdate.exe • http://cloudupdate.co[.]za/documents/msofficeupdate.exe ----- 430a406f2134b4890 8363e473dd6da11a172a7e1 file availability from different sources ----- under review established with the help of Group-IB Graph Network Analysis ###### From the start, Mephistophilus has been presented as a system for targeted phishing attacks. This phishing kit contains several fake web page templates for delivering payload, including: • Microsoft Office 365, Word, and Excel online viewers • PDF online viewer • YouTube phishing page ----- panel ----- update window ###### The documents-cloud-server[.]co.za domain contains a web fake imitating an Adobe Reader plugin update page. To continue viewing the document, the user is asked to download a plugin. By clicking on "Download plugin," the user activates a malware download from http://www.documents-cloud-server[.]co.za/file_d/adobe-reader-update 10.21.01.exe. Source code of phishing content is available here. ###### A file with the same name "adobe-reader-update-10.21.01.exe" (SHA1: f33c1f0930231fe6f5d0f00978188857cbb0e90d) was first uploaded to VirusTotal on ----- ###### • http://documents-cloud-server5[.]co.za/file_d/adobe-reader-update-10.21.01.exe • http://documents-cloud-server1[.]co.za/file_d/adobe-reader-update-10.21.01.exe • http://www.documents-cloud-server9[.]co.za/file_d/adobe-reader-update-10.21.01.exe • http://documents-cloud-server8[.]co.za/file_d/adobe-reader-update-10.21.01.exe Example of f33c1f0930231fe6f5d0 f00978188857cbb0e90d file availability from different sources ###### Another file named "msofficeupdater.exe" (SHA1: bdfefdff7b755a89d60de22309da72b82df70ecb) was available for download here: • http://www.documents-cloud-server7[.]co.za/doc/msofficeupdater.exe • http://documents-cloud-server5[.]co.za/doc/msofficeupdater.exe • http://documents-cloud-server7[.]co.za/doc/msofficeupdater.exe ----- ###### • http://documents-cloud-server6[.]co.za/doc/msofficeupdater.exe • http://www.documents-cloud-server5[.]co.za/doc/msofficeupdater.exe • http://www.documents-cloud-server1[.]co.za/doc/msofficeupdater.exe Example of bdfefdff7b755a89d60de22309da72b82df70ecb file availability from different sources #### Second wave ###### The domains associated with the file SHA1: bdfefdff7b755a89d60de22309da72b82df70ecb led us to another batch of domains related to the attackers' infrastructure. The domains were registered in two stages: the first batch on March 13, 2020 and the second one on May 22, 2020. Examples of second wave domains: ----- ###### Batch 1 Batch 2 cloud-server-updater[.]co.za cloud-server-updater17[.]co.za cloud-server-updater1[.]co.za cloud-server-updater18[.]co.za cloud-server-updater15[.]co.za cloud-server-updater27[.]co.za cloud-server-updater16[.]co.za cloud-server-updater28[.]co.za ###### These domains were created to distribute the Raccoon stealer. It is possible to establish the connection between these domain batches by looking at SHA1: b326f9a6d6087f10ef3a9f554a874243f000549d and SHA1: F2B2F74F4572BF8BD2D948B34147FFE303F92A0F files. When executed, these files establish a network connection to: • cloudupdates[.]co.za • cloud-server-updater2[.]co.za • cloud-server-updater19.co.za ----- b326f9a6d6087f10ef3 a9f554a874243f000549d file network communication established with the help of Group-IB Graph Network Analysis ###### About 50 malicious files from public sources are related to the domain cloudupdates[.]co.za. Their first uploads date back to April 30, 2020 and the domain is similar to the previously discovered cloudupdate.co[.]za. Besides having a similar domain name, it was registered through the cloud2m registrar and ns1.host-ww.net, ns2.host ww.net as well as msupdater[.]co.za and cloudupdate[.]co.za ----- from three domains ###### About 300 files from public sandboxes are associated with all the second-wave domains. All these files are lure documents containing malicious macros named "MyBankStatement_2436.xlsm", MyBankStatement_3269.xlsm, "MyBankStatement_5763.xlsm", etc. ----- 83A92952EB5EB3FB 9598C783 lure document sample ###### One of these files is "MyBank_5710.xlsm (SHA1: 685955C5F006C2D83A92952EB5EB3FB9598C783). After activating the macros in this document, a file was downloaded from http://cloud-server updater22[.]co.za/doc/officebuilder. This file with SHA1: 3657CF5F2142C7E30F72E231E87518B82710DC1C is a Raccoon stealer. It connects to the C&C server (35.228.95[.]80) to exfiltrate the collected information, using Google's infrastructure to legitimize requests. In turn, Raccoon makes a network connection to http://cloud-server-updater1[.]co.za/doc/officeupdate.exe and downloads RAT AveMaria (SHA1: a10925364347bde843a1d4105dddf4a4eb88c746), with the C&C server located at the IP address 102.130.118[.]152. AveMaria is a RAT, which was discovered by cybersecurity researchers in late 2018, when it was used to attack an Italian oil and gas company. The RAT is capable of: ----- ###### Ensuring persistence in the infected system Injecting code Keylogging Gaining access to web camera Managing processes Managing files (creation, download, exfiltration, deletion) RDP using rdpwrap Info-stealer support: - Google Chrome - Firefox - Internet Explorer - Outlook - Thunderbird - Foxmail When running, Raccoon makes the following network requests: 6685955C5F006C2D 83A92952EB5EB3FB 9598C783 execution sequence ----- ###### Among these network requests, there is a connection to the blintick Telegram channel. Telegram was used by Raccoon's creators to bypass blocking of the C&C servers. To this end, the stealer makes a request to the Telegram channel and receives the encrypted address of the new C&C server from the description. The first samples using this technique began appearing on VirusTotal in late May 2020. F72E231E87518B827 10DC1C network requests Messages from the designers of the Raccoon stealer ----- blintick Telegram channel and its description ###### Although the Raccoon stealer is distributed according to the MaaS model, all files distributed during the second wave accessed the same Telegram channel. This suggests that documents with malicious macros downloading Raccoon were distributed by the ----- ----- ###### The lure documents used as part of this wave look identical to the previous ones. Judging by their behavior after macros are activated, they were created by the same builder. Such builders make it possible to create office documents with malicious macros based on templates, which helps attackers distribute malicious files much faster and more efficiently. File connections with domains involved in two waves established with the help of GroupIB Graph Network Analysis 618C894C06633E3D7 ADD228531F6E775A1 80A7F7 lure document sample ----- ###### Upon activating macros, the file "My_Statement_1953.xlsm" (SHA1: 618C894C06633E3D7ADD228531F6E775A180A7F7) sends a request to download the stealer file http://microsoft-cloud13[.]co.za/msofficeupdate.exe. The Raccoon stealer file (SHA1: 6639081791A8909F042E4A4197DF7051382B04E5) makes a series of requests to its C&C server (35.198.88[.]195) and tries to download the file http://cloud-server updater1[.]co.za/doc/officeupdate.exe, but receives an "error 302" and is redirected to http://cloud-server-updater1[.]co.za/cgi-sys/suspendedpage.cgi because the original domain is blocked. It seems that the sample was trying to download RAT AveMaria as before. In addition, all files related to this campaign made various network requests, including those to the Telegram channel https://telete.in/blintick. ----- 42E4A4197DF70513 82B04E5 Raccoon stealer network communication #### Using loaders ----- ###### During this campaign, the attackers also experimented with various loaders. While analyzing the infrastructure, we discovered the Buer and Smoke loaders. On April 30, 2020, an xls document (SHA1: 6c6680659b09d18ccab0f933daf5bf1910168b1a) was uploaded to VirusTotal. When the malicious code is executed, it downloads the payload from http://cloud-server updater2.co[.]za/doc/buer.exe. SHA1�6c6680659b09 d18ccab0f933daf5bf1 910168b1a file network communication established with the help of Group-IB Graph Network Analysis ###### Apart from that, the files were uploaded to a public resource: bazaar.abuse[.]ch. The file names and the tags attached refer to the Buer loader. ----- [52a6dbf3146fabb1cd1](https://bazaar.abuse.ch/sample/522a42c27449aba54fa539f28082f1ddc2e8e6ea4f3dd29141f702a5ad82e29f/) ca276ed9 file network communication ###### While monitoring the adversary infrastructure, we identified a batch of domains registered by the attackers between August 24 and September 12, 2020. Examples of such domains are presented below: ###### Domain name Registration date IP address code-cloud[1-6][.]co.za 08/24/2020 102.130.115.44 ----- ###### Domain name Registration date IP address google-document[.]co.za 08/24/2020 102.130.115.44 azure-cloud[1-4][.]co.za 09/04/2020 102.130.119.232 azure-cloud[1-3].web.za 09/04/2020 102.130.119.232 updateadobeonline[.]co.za 09/08/2020 102.130.115.44 updateforadobenew[.]co.za 09/09/2020 102.130.118.209 oneupdateadobe[1-4][.]co.za 09/09/2020 102.130.118.209 updateadobe[.]co.za 09/12/2020 102.130.121.74 The WHOIS records for these domains match the WHOIS records for those discovered previously in this campaign. On August 26, 2020, malicious files related to the domains code-cloud[1-6][.]co.za and google-document[.]co.za began appearing on public Similar WHOIS domain records ----- ###### ed5c20371bae393df0a713be72220b055e5cbdad). When the malicious code is executed, the file downloads the payload from http://google document[.]co.za/doc/loader.exe. Signature analysis showed that the downloaded file is a Smoke loader sample. SHA1: ed5c20371bae393df0 a713be72220b055e5cbdad file network communication established with the help of Group-IB Graph Network Analysis ----- and Smoke loader tag ###### The fact that the cybercriminals additionally use loaders in their campaigns could indicate that they are still searching for the most effective tools. ----- the Mephistophilus infrastructure and the 2019 and 2020 campaigns established with the help of GroupIB Graph Network Analysis Screenshot of a Mephistophilus decoy page ----- ###### Clicking on the "Download" plugin button downloads the Raccoon stealer file SHA1: bcfb45e5451435530156f1f02ddbb9cadf6338e9 from https://updateforadobenew[.]co.za/file_d/adobe-reader-v13.11.1.3.exe. Data from Group-IB Threat Hunting Framework Polygon MITRE ATT&CK matrix of the file analyzed ----- ###### on September 14, 2020 and the description contained the encrypted address of the active C&C server. At the time of writing, the channel is inactive again. blintick Telegram channel content #### Relation to FakeSecurity ###### This malicious campaign bears a striking resemblance to a series of FakeSecurity JS sniffer attacks described by Group-IB in November 2019. Past attacks targeted owners of online stores powered by Magento CMS. In the campaign described previously, the attackers also used such tools as the Vidar stealer and the Mephistophilus phishing kit, with an identical template for Adobe updates. In addition, the attackers used the same hosting service to register domains in both campaigns. In the 2020 campaign, the same attack vector was used and involved subsequent ----- ###### several online stores from bezco.quise1988@wp.pl and outtia.lene1985@wp.pl. A detailed analysis of the first-wave malware distribution via Mephistophilus phishing pages revealed a link between the domains involved in this campaign (in particular documents-cloud-server*[.]co.za) and the FakeSecurity campaign. During the 2020 campaign, phishing pages were available at the following URLs: List of domains with an identical structure ###### According to urlscan[.]io, more than 20 sites with a similar structure were discovered, but the one that stands out is alloaypparel[.]com. It was used in the FakeSecurity campaign. Since March 2020, Group-IB specialists have started detecting online store infections with a JS sniffer obfuscated by the aaencode algorithm (https://utf-8.jp/public/aaencode.html). The malware was loaded from get-js[.]com. WHOIS records similar to those used previously by this group were located at get-js[.]com: ● fiswedbesign[.]com ● alloaypparel[.]com ● firstofbanks[.]com ● magento-security[.]org it [ ] ----- Connection between FakeSecutiry infrastructure during the 2019 campaign and the domain getjs[.]com built with the help of Group-IB Graph Network Analysis Part of JS-sniffer code obfuscated with aaencode ----- ###### After deobfuscating it, Group-IB established that the malware used for infections was a modified version of the FakeSecurity JS-sniffer. Its distribution was analyzed in November 2019. Deobfuscated code of the FakeSecurity JSsniffer modified version ###### In May 2020, Group-IB discovered new infected online stores. Once again, the attackers used a modified FakeSecurity JS-sniffer obfuscated with aaencode. The malware was injected either by a link using a script tag or by modifying existing JavaScript files on the ----- ###### September 2020. The following domains were used to store the code and collect stolen bank card data during the new campaign: • cloud-js[.]co.za • host-js[.]co.za • magento-cloud[.]co.za • magento-js[.]co.za • magento-security[.]co.za • marketplace-magento[.]co.za • marketplacemagento[.]co.za • node-js[.]co.za • node-js[.]co.za • payment-js[.]co.za • security-js[.]co.za • web-js[.]co.za Created on April 24, 2020 (during the second wave), these domains were registered with the same registrars as those used to distribute the Vidar and Raccoon stealers and the Buer and Smoke loaders. The format of the links to the JS-sniffer files combined with the malware family type suggest that FakeSecurity JS-sniffer operators are behind the campaign to infect online stores. In addition, some domains involved in the campaign under investigation hosted a parked page labeled "test page", like the one hosted on FakeSecurity domains: • https://urlscan.io/result/0299b3e5-cbba-40be-adce-7ba437e4cb39/ microsoft cloud10[.]co.za • https://urlscan.io/result/8f244d1b-2186-4db5-9c52-6122584dafa9/ - documents cloud-server[.]co.za ----- parked pages on JSsniffer FakeSecurity's gate and domains in co.za zone ###### The evidence found indicates that the operators of the FakeSecurity JS-sniffer family are likely to be behind the multi-stage malicious campaign described above. According to our information, even though the group gains initial access using non-self-developed tools sold or rented on darknet forums, it continues to operate its exclusive JS-sniffer. Recommendations Below you can see attackers' TTPs and relevant mitigation and defense techniques in ----- ###### against and prevent cyberattacks. All the mitigation and defense techniques are implemented in Group-IB's products intended for the protection against cyberattacks at early stages. If you have any questions or suspect that you're being attacked email us at response@cert-gib.com. ----- ###### Lear more about Group-IB's Security Assessment, Threat Hunting Framework, Threat Intelligence & Attribution, Cyber Education, Red Teaming, Incident Response, and Fraud Hunting Platform on our website. ----- ### Indicators ##### Raccoon cloud-server-updater[.]co.za cloud-server-updater1[.]co.za cloud-server-updater2[.]co.za cloud-server-updater3[.]co.za cloud-server-updater4[.]co.za cloud-server-updater5[.]co.za cloud-server-updater6[.]co.za cloud-server-updater7[.]co.za cloud-server-updater8[.]co.za cloud-server-updater9[.]co.za cloud-server-updater10[.]co.za cloud-server-updater11[.]co.za cloud-server-updater12[.]co.za cloud-server-updater13[.]co.za cloud-server-updater14[.]co.za cloud-server-updater15[.]co.za cloud-server-updater16[.]co.za cloud-server-updater17[.]co.za cloud-server-updater18[.]co.za cloud-server-updater19[.]co.za cloud-server-updater20[.]co.za cloud-server-updater21[.]co.za cloud-server-updater22[.]co.za cloud-server-updater23[.]co.za cloud-server-updater24[.]co.za cloud-server-updater25[.]co.za cloud-server-updater26[.]co.za cloud-server-updater27[.]co.za cloud-server-updater28[.]co.za ----- 34.105.255[.]170 102.130.113[.]55 34.105.219[.]83 oneupdateadobe[.]co.za oneupdateadobe2[.]co.za oneupdateadobe3[.]co.za oneupdateadobe4[.]co.za updateforadobenew[.]co.za oneupdateadobe[.]org.za oneupdateadobe2[.]org.za oneupdateadobe3[.]org.za microsoft-cloud1[.]co.za microsoft-cloud6[.]co.za microsoft-cloud7[.]co.za microsoft-cloud8[.]co.za microsoft-cloud9[.]co.za microsoft-cloud10[.]co.za microsoft-cloud11[.]co.za microsoft-cloud12[.]co.za microsoft-cloud13[.]co.za microsoft-cloud14[.]co.za microsoft-cloud15[.]co.za cloudupdates[.]co.za ##### FakeSecurity cloud-js[.]co.za host-js[.]co.za magento-cloud[.]co.za magento-js[.]co.za magento-security[.]co.za marketplace-magento[.]co.za marketplacemagento[.]co.za node-js[.]co.za node-js[.]co.za payment-js[.]co.za security-js[.]co.za web-js[.]co.za ----- ##### Mephistophilus documents-cloud-server1[.]co.za documents-cloud-server2[.]co.za documents-cloud-server3[.]co.za documents-cloud-server4[.]co.za documents-cloud-server6[.]co.za documents-cloud-server7[.]co.za documents-cloud-server8[.]co.za documents-cloud-server9[.]co.za documents-cloud-server[.]co.za oneupdateadobe[.]co.za oneupdateadobe2[.]co.za oneupdateadobe3[.]co.za oneupdateadobe4[.]co.za updateforadobenew[.]co.za oneupdateadobe[.]org.za oneupdateadobe2[.]org.za oneupdateadobe3[.]org.za oneupdateadobe3[.]com ##### Vidar and other malicious domains badlandsparks.com gineuter.info paunsaugunt.com precambrianera.com biscayneinn.com msupdater[.]co.za cloudupdate[.]co.za cloudupdates[.]co.za securitycloudserver[.]co.za fastandprettycleaner[.]hk download-plugin[.]co.za download-plugins[.]co.za downloadplugins[.]co.za code-cloud1[.]co.za code-cloud2[.]co.za code-cloud3[.]co.za ----- code-cloud6[.]co.za google-document[.]co.za azure-cloud1[.]co.za azure-cloud2[.]co.za azure-cloud3[.]co.za azure-cloud4.]co.za azure-cloud1.web.za azure-cloud2.web.za azure-cloud3].web.za Updateadobeonline[.]co.za ###### Share ###### The Locking Egregor Analysis of TTPs employed by Egregor operators ###### Group-IB Fraud Hunting Platform Keeping user digital identity safe ###### Big Game Hunting: Now in Russia [Top Russian companies and](https://www.group-ib.com/blog/oldgremlin) banks under attack from OldGremlin ransomware operators ###### Massive malicious campaign by FakeSecurity JS- sniffer Malicious campaign conducted by operators of the FakeSecurity JS sniffer and targeting owners of online shops ----- ## Receive insights on the latest cybercrime trends ###### originating from Russia and Emerging Markets Email SUBSCRIBE -----