# Raccoon Stealer: “Trash panda” abuses Telegram **decoded.avast.io/vladimirmartyanov/raccoon-stealer-trash-panda-abuses-telegram** by [Vladimir MartyanovMarch 9, 20227 min read](https://decoded.avast.io/author/vladimirmartyanov/) March 9, 2022 We recently came across a stealer, called `Raccoon Stealer, a name given to it by its author. Raccoon Stealer uses the` `Telegram` infrastructure to store and update actual `C&C addresses.` Raccoon Stealer is a password stealer capable of stealing not just passwords, but various types of data, including: Cookies, saved logins and forms data from browsers Login credentials from email clients and messengers Files from crypto wallets Data from browser plugins and extension Arbitrary files based on commands from C&C In addition, it’s able to download and execute arbitrary files by command from its C&C. In combination with active development and promotion on underground forums, Raccoon Stealer is prevalent and dangerous. The oldest samples of Raccoon Stealer we’ve seen have timestamps from the `end of April 2019 . Its authors have stated the same` month as the start of selling the malware on underground forums. Since then, it has been updated many times. According to its authors, they fixed bugs, added features, and more. ## Distribution We’ve seen Raccoon distributed via downloaders: `Buer Loader and` `GCleaner . According to some samples, we believe it is also being` distributed in the form of `fake game cheats,` `patches for cracked software (including hacks and mods for` `Fortnite,` `Valorant,` and `NBA2K22 ), or other software. Taking into account that Raccoon Stealer is for sale, it’s distribution techniques are limited only by the` imagination of the end buyers. Some samples are spread unpacked, while some are protected using `Themida or malware packers. Worth` [noting is that some samples were packed more than five times in a row with the same packer!](https://twitter.com/AvastThreatLabs/status/1420372556142432257) ## Technical details Raccoon Stealer is written in `C/C++ and built using` `Visual Studio . Samples have a size of about` `580-600 kB . The code quality is` below average, some strings are encrypted, some are not. Once executed, Racoon Stealer starts checking for the default user locale set on the infected device and won’t work if it’s one of the following: Russian Ukrainian Belarusian Kazakh Kyrgyz Armenian Tajik Uzbek ## C&C communications The most interesting thing about this stealer is its communication with C&Cs. There are four values crucial for its C&C communication, which are hardcoded in every Raccoon Stealer sample: ----- `_` s a ue as bee c a ged ou t es du g t e yea ``` URLs of Telegram gates with channel name. Gates are used not to implement a complicated Telegram protocol and not to store any ``` credentials inside samples ``` BotID – hexadecimal string, sent to the C&C every time TELEGRAM_KEY – a key to decrypt the C&C address obtained from Telegram Gate ``` Let’s look at an example to see how it works: ``` 447c03cc63a420c07875132d35ef027adec98e7bd446cf4f7c9d45b6af40ea2b unpacked to: f1cfcce14739887cc7c082d44316e955841e4559ba62415e1d2c9ed57d0c6232 : ``` 1. First of all, `MAIN_KEY is decrypted. See the decryption code in the image below:` In this example, the `MAIN_KEY is` `jY1aN3zZ2j . This key is used to decrypt Telegram Gates` `URLs and` `BotID .` 1. This example decodes and decrypts Telegram Gate URLs. It is stored in the sample as: ``` Rf66cjXWSDBo1vlrnxFnlmWs5Hi29V1kU8o8g8VtcKby7dXlgh1EIweq4Q9e3PZJl3bZKVJok2GgpA90j35LVd34QAiXtpeV2UZQS5VrcO7UWo0E1J ``` After decoding Base64 it has this form: Decrypting this binary data with `RC4 using` `MAIN_KEY gives us a string with Telegram Gates:` 1. The stealer has to get it’s real C&C. To do so, it requests a Telegram Gate, which returns an HTML-page: ----- Here you can see a Telegram channel name and its status in Base64: `e74b2mD/ry6GYdwNuXl10SYoVBR7/tFgp2f-v32` The prefix (always five characters) and postfix (always six characters) are removed and it becomes `mD/ry6GYdwNuXl10SYoVBR7/tFgp The` Base64 is then decoded to obtain an encrypted C&C URL: The `TELEGRAM_KEY in this sample is a string` `739b4887457d3ffa7b811ce0d03315ce and the Raccoon uses it as a key to` `RC4 algorithm` to finally decrypt the C&C URL: `http://91.219.236[.]18/` 1. Raccoon makes a query string with PC information (machine GUID and user name), and `BotID` 2. Query string is encrypted with `RC4 using a` `MAIN_KEY and then encoded with Base64.` 3. This data is sent using POST to the C&C, and the response is encoded with Base64 and encrypted with the `MAIN_KEY . Actually, it’s a` JSON with a lot of parameters and it looks like this: Thus, the Telegram infrastructure is used to store and update actual C&C addresses. It looks quite convenient and reliable until Telegram decides to take action. ## Analysis The people behind Raccoon Stealer Based on our analysis of seller messages on underground forums, we can deduce some information about the people behind the malware. Raccoon Stealer was developed by a team, some (or maybe all) members of the team are Russian native speakers. Messages on the forum are written in Russian, and we assume they are from former USSR countries because they try to prevent the Stealer from targeting users in these countries. Possible names/nicknames of group members may be supposed based on the analysis of artifacts, found in samples: ``` C:\Users\a13xuiop1337\ C:\Users\David\ ## Prevalence ``` ----- accoo Stea e s qu te p e a e t o `a c` `3,` `0` `eb ua y` `,` `0` ou syste s detected `o e t a` `5,000` accoo related samples. We identified `more than 1,300 distinct configs during that period.` Here is a map, showing the number of systems Avast protected from Raccoon Stealer from `March 3, 2021 - February 17, 2022 . In this` time frame, Avast protected nearly `600,000 Raccoon Stealer attacks.` The country where we have blocked the most attempts is Russia, which is interesting because the actors behind the malware don’t want to infect computers in Russia or Central Asia. We believe the attacks spray and pray, distributing the malware around the world. It’s not until it makes it onto a system that it begins checking for the default locale. If it is one of the language listed above, it won’t run. This explains why we detected so many attack attempts in Russia, we block the malware before it can run, ie. before it can even get to the stage where it checks for the device’s locale. If an unprotected device that comes across the malware with its locale set to English or any other language that is not on the exception list but is in Russia, it would stiIl become infected. Screenshot with claims about not working with CIS ----- ## Telegram Channels From the more than 1,300 distinct configs we extracted, 429 of them are unique Telegram channels. Some of them were used only in a single config, others were used dozens of times. The most used channels were: ``` jdiamond13 – 122 times jjbadb0y – 44 times nixsmasterbaks2 – 31 times hellobyegain – 25 times ``` `h_smurf1kman_1` – 24 times Thus, five of the most used channels were found in about `19% of configs.` ## Malware distributed by Raccoon As was previously mentioned, Raccoon Stealer is able to download and execute arbitrary files from a command from C&C. We managed to collect some of these files. We collected `185 files, with a total size` `265 Mb, and some of the groups are:` ``` Downloaders – used to download and execute other files Clipboard crypto stealers – change crypto wallet addresses in the clipboard – very popular (more than 10%) WhiteBlackCrypt Ransomware ### Servers used to download this software ``` We extracted unique links to other malware from Raccoon configs received from C&Cs, it was `196 unique URLs . Some analysis results:` `43%` of URLs have `HTTP scheme,` `57% –` `HTTPS .` ``` 83 domain names were used. ``` About `20% of malware were placed on` `Discord CDN` About `10% were served from` `aun3xk17k[.]space` ## Conclusion We will continue to monitor Raccoon Stealer’s activity, keeping an eye on new C&Cs, Telegram channels, and downloaded samples. We predict it may be used wider by other cybercrime groups. We assume the group behind Raccoon Stealer will further develop new features, including new software to steal data from, for example, as well as bypass protection this software has in place. ## IoC ``` 447c03cc63a420c07875132d35ef027adec98e7bd446cf4f7c9d45b6af40ea2b f1cfcce14739887cc7c082d44316e955841e4559ba62415e1d2c9ed57d0c6232 ``` [Tagged asmalware,](https://decoded.avast.io/tag/malware/) [Malware Analysis,](https://decoded.avast.io/tag/malware-analysis/) [Racoon,](https://decoded.avast.io/tag/racoon/) [reversing,](https://decoded.avast.io/tag/reversing/) [stealer,](https://decoded.avast.io/tag/stealer/) [telegram,](https://decoded.avast.io/tag/telegram/) [trash panda](https://decoded.avast.io/tag/trash-panda/) -----