{
	"id": "679ea290-fe70-4d6d-8410-95893f5cfce4",
	"created_at": "2026-05-07T02:43:52.017014Z",
	"updated_at": "2026-05-07T02:44:10.944946Z",
	"deleted_at": null,
	"sha1_hash": "83070f8124b63879216b4522c1d2f848f3ff0673",
	"title": "The footprints of Raccoon",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 7230404,
	"plain_text": "The footprints of Raccoon\r\nArchived: 2026-05-07 02:11:11 UTC\r\nIntroduction\r\nIn the summer of 2020, Group-IB specialists discovered a malware distribution campaign exploiting Telegram’s\r\nlegitimate features. Analysis showed that the attackers used the technique to distribute Raccoon stealer, i.e.\r\nmalware spread through the Malware-as-a-Service model on one of darknet forums. They, in particular, used\r\nTelegram channels in order to bypass blocking of active C\u0026C servers.\r\nRaccoon Stealer collects system information, account data, bank card data, and autofill form details from browsers\r\n(Google Chrome, Mozilla Firefox, Opera, etc.). What’s more, Raccoon Stealer scans the infected device for\r\ninformation about valid crypto wallets. If successful, it gains access to configuration files.\r\nAd of Raccoon stealer on one of underground forums (translation is provided below)\r\nTranslation\r\narrow_drop_down\r\nRaccoon Stealer. We steal, You deal!\r\nhttps://www.group-ib.com/blog/fakesecurity_raccoon\r\nPage 1 of 37\n\nOur team proudly presents the result of many months of work.\r\nStealing logs has never been so easy and straightforward and sorting them as never been so fast and comfortable.\r\nWe deal with all the frustrating, time-consuming, and tedious issues so that you can focus on what’s important:\r\nincreasing your revenue.\r\nForget about routing and maintaining servers, assembling builds, and other problems. We’ve gone automatic — all\r\nyou need is a few clicks.\r\nOur specialists work in three areas: software, front-end, and back-end. It helps us focus on specific goals and\r\nrelease a complete product.\r\nNew software:\r\nExclusive code. Unique build\r\nC/C++ stealer with enhanced performance\r\nExcellent signal for each entry; only some antivirus software detects Raccoon during dynamic testing\r\nRaccoon collects passwords, cookies, autofill data from all popular browsers (including FireFox x64), CC\r\ndata, system information, and almost all types of desktop crypto wallets\r\nEmbedded downloader\r\nCompatible with x32 and x64 operating systems regardless of .NET\r\nYou get an easy-to-encrypt Native x86 executable file\r\nPrivate key, gate address, and other string values are heavily encrypted\r\nDuring research, Group-IB Threat Intelligence experts established links with other elements of the threat actors’\r\ninfrastructure and recreated the malicious campaign timeline. The campaign was divided into four stages based on\r\nthe tools used (type of malware, registrars for creating infrastructure, etc.):\r\nFirst wave: February 19 to March 5 2020\r\nSecond wave: March 13 to May 22, 2020\r\nThird wave: June 29 to July 2, 2020\r\nFourth wave: August 24 to September 12, 2020\r\nMost domains related to the investigated campaign were registered with two registrars: Cloud2m and Host\r\nAfrica. Cloud2m was used in earlier attacks. In mid-July 2020, some of these domains moved to Host Africa.\r\nhttps://www.group-ib.com/blog/fakesecurity_raccoon\r\nPage 2 of 37\n\nTimeline of FakeSecurity’s malicious campaign from February to September 2020\r\nGroup-IB experts concluded that the purpose of the campaign in question was to steal payment and user data. The\r\nattackers used several attack vectors and tools to deliver the malware.\r\nIt was also discovered that in early 2020, before distributing the Raccoon stealer, the attackers had distributed\r\nsamples of another stealer called Vidar. To do so, they used attachments with malicious macros and phishing pages\r\ncreated with the Mephistophilus phishing kit.\r\nhttps://www.group-ib.com/blog/fakesecurity_raccoon\r\nPage 3 of 37\n\nInfection pattern in the malicious campaigns of hacker group FakeSecurity\r\nThis malware distribution technique reminded Group-IB experts of the pattern used by FakeSecurity JS-sniffer\r\noperators during the campaign described in November 2019. Apart from having similar toolkits, both series of\r\nattacks targeted e-commerce. In May 2020, Group-IB identified online stores that had been infected with a\r\nmodified JS-sniffer of the FakeSecurity family. The JS-sniffer was obfuscated using the aaencode algorithm,\r\nwhile the domains used to store the code and collect stolen bank card data were registered during the second wave\r\nwith the same registrars as the domains that we discovered while investigating the malicious campaign. As such, it\r\ncan be assumed that FakeSecurity JS-sniffer operators were behind the stealer distribution campaign.\r\nhttps://www.group-ib.com/blog/fakesecurity_raccoon\r\nPage 4 of 37\n\nDomain infrastructure of FakeSecurity’s malicious campaigns\r\nFirst wave\r\nThe first wave of domain registrations began in the co.za zone on February 19, 2020. The suspicious domains\r\ncontained the following keywords: cloud, document, and Microsoft. Examples of domains registered during the\r\nfirst wave are presented below:\r\nhttps://www.group-ib.com/blog/fakesecurity_raccoon\r\nPage 5 of 37\n\nmsupdater[.]co.za 2020-02-19\r\ndocuments-cloud-server[.]co.za 2020-03-05\r\ncloudupdate[.]co.za 2020-02-21\r\nAs part of the campaign’s first wave, the initial compromise vector used: (i) mailings with attachments containing\r\nmalicious macros and (ii) phishing pages leading to malware downloading.\r\nDocuments with macros\r\nOn February 28, nine days after the first domain was registered, the file “Bank001.xlsm” (SHA1:\r\nb1799345152f0f11a0a573b91093a1867d64e119) was uploaded to VirusTotal via a US web interface.\r\nSHA1: b1799345152f0f11a0a\r\n573b91093a1867d64e119 lure document. Alert says: “SECURITY WARNING. Macros have been disabled.\r\n“Enable content.””\r\nThe file is a lure document with malicious macros. When activated, it downloads a payload from\r\nhttp://cloudupdate.co[.]za/documents/msofficeupdate.exe.\r\nhttps://www.group-ib.com/blog/fakesecurity_raccoon\r\nPage 6 of 37\n\nMalicious macros contained in lure document and partially obfuscated in Base64\r\nAs a result, the file “msofficeupdate.exe” (SHA1: f3498ba783b9c8c84d754af8a687d2ff189615d9) is executed.\r\nThe C\u0026C server in this case is badlandsparks[.]com. This domain was registered on February 27, 2020 and is\r\nassociated with the IP address 185.244.149[.]100. More than 30 files connect to this domain alone.\r\nInfrastructure relating to the domain badlandsparks[.]com established with the help of Group-IB Graph Network\r\nAnalysis\r\nhttps://www.group-ib.com/blog/fakesecurity_raccoon\r\nPage 7 of 37\n\nThese files include “13b7afe8ee87977ae34734812482ca7efd62b9b6” and\r\n“596a3cb4d82e6ab4d7223be640f614b0f7bd14af“. They create a network connection to gineuter[.]info,\r\nfastandprettycleaner[.]hk and badlandsparks[.]com. Judging by the requests they make to download libraries and\r\nopen source data, the file “msofficeupdate.exe” and others like it are samples of the Vidar stealer. Criminals use\r\nthe stealer to collect data from browsers (including web browsing history and account data), bank card data,\r\ncrypto wallet files, messages, and more.\r\nVidar stealer admin panel\r\nSHA1: 596a3cb4d82e6ab4d7223be640f614b0f7bd14af file network communication built with the help of Group-IB Graph Network Analysis\r\nA list of Vidar-specific HTTP requests and a detailed overview are available here:\r\nhttps://www.group-ib.com/blog/fakesecurity_raccoon\r\nPage 8 of 37\n\n/ (i.e 162) \u003c- Config ip-api.com/line/ \u003c- Get Network Info /msvcp140.dll \u003c- Required DLL /nss3.dll \u003c- Required\r\nDLL /softokn3.dll \u003c- Required DLL /vcruntime140.dll \u003c- Required DLL / \u003c- Pushing Victim Archive to C2\r\nThe file “BankStatement1.xlsm” (SHA1: c2f8d217877b1a28e4951286d3375212f8dc2335) is another lure\r\ndocument with malicious macros. When activated, it downloads the file from http://download-plugin[.]co.za/documents/msofficeupdate.exe.\r\nThe download file SHA1: 430a406f2134b48908363e473dd6da11a172a7e1 is also a Vidar stealer. The file is\r\navailable for download here:\r\nhttp://download-plugin.co[.]za/documents/msofficeupdate.exe\r\nhttp://msupdater.co[.]za/documents/msofficeupdate.exe\r\nhttp://cloudupdate.co[.]za/documents/msofficeupdate.exe\r\nExample of 430a406f2134b48908363e473dd6da11a172a7e1 file availability from different sources\r\nMephistophilus phishing kit\r\nThe second attack vector during the first wave was the use of phishing pages to distribute malware.\r\nIt turned out that the discovered domains (msupdater[.]co.za, cloudupdate[.]co.za and documents-cloud-server[.]co.za) had the same A record created at the same time: 160.119.253[.]53. According to Group-IB’s Graph\r\nNetwork Analysis, documents-cloud-server[.]co.za contained the Mephistophilus phishing kit.\r\nhttps://www.group-ib.com/blog/fakesecurity_raccoon\r\nPage 9 of 37\n\nLinks between domains under review established with the help of Group-IB Graph Network Analysis\r\nFrom the start, Mephistophilus has been presented as a system for targeted phishing attacks. This phishing kit\r\ncontains several fake web page templates for delivering payload, including:\r\nMicrosoft Office 365, Word, and Excel online viewers\r\nPDF online viewer\r\nYouTube phishing page\r\nhttps://www.group-ib.com/blog/fakesecurity_raccoon\r\nPage 10 of 37\n\nMephistophilus admin panel\r\nhttps://www.group-ib.com/blog/fakesecurity_raccoon\r\nPage 11 of 37\n\nFake Adobe Reader update window\r\nThe documents-cloud-server[.]co.za domain contains a web fake imitating an Adobe Reader plugin update page.\r\nTo continue viewing the document, the user is asked to download a plugin. By clicking on “Download plugin,” the\r\nuser activates a malware download from http://www.documents-cloud-server[.]co.za/file_d/adobe-reader-update-10.21.01.exe. Source code of phishing content is available here.\r\nA file with the same name “adobe-reader-update-10.21.01.exe” (SHA1:\r\nf33c1f0930231fe6f5d0f00978188857cbb0e90d) was first uploaded to VirusTotal on March 13, 2020. It was\r\navailable for download here:\r\nhttp://documents-cloud-server5[.]co.za/file_d/adobe-reader-update-10.21.01.exe\r\nhttp://documents-cloud-server1[.]co.za/file_d/adobe-reader-update-10.21.01.exe\r\nhttp://www.documents-cloud-server9[.]co.za/file_d/adobe-reader-update-10.21.01.exe\r\nhttp://documents-cloud-server8[.]co.za/file_d/adobe-reader-update-10.21.01.exe\r\nhttps://www.group-ib.com/blog/fakesecurity_raccoon\r\nPage 12 of 37\n\nExample of f33c1f0930231fe6f5d0f00978188857cbb0e90d file availability from different sources\r\nAnother file named “msofficeupdater.exe” (SHA1: bdfefdff7b755a89d60de22309da72b82df70ecb) was available\r\nfor download here:\r\nhttp://www.documents-cloud-server7[.]co.za/doc/msofficeupdater.exe\r\nhttp://documents-cloud-server5[.]co.za/doc/msofficeupdater.exe\r\nhttp://documents-cloud-server7[.]co.za/doc/msofficeupdater.exe\r\nhttp://www.documents-cloud-server6[.]co.za/doc/msofficeupdater.exe\r\nhttp://documents-cloud-server1[.]co.za/doc/msofficeupdater.exe\r\nhttp://documents-cloud-server6[.]co.za/doc/msofficeupdater.exe\r\nhttp://www.documents-cloud-server5[.]co.za/doc/msofficeupdater.exe\r\nhttp://www.documents-cloud-server1[.]co.za/doc/msofficeupdater.exe\r\nhttps://www.group-ib.com/blog/fakesecurity_raccoon\r\nPage 13 of 37\n\nExample of bdfefdff7b755a89d60de22309da72b82df70ecb file availability from different sources\r\nSecond wave\r\nThe domains associated with the file SHA1: bdfefdff7b755a89d60de22309da72b82df70ecb led us to another\r\nbatch of domains related to the attackers’ infrastructure. The domains were registered in two stages: the first batch\r\non March 13, 2020 and the second one on May 22, 2020. Examples of second-wave domains:\r\nBatch 1 Batch 2\r\ncloud-server-updater[.]co.za cloud-server-updater17[.]co.za\r\ncloud-server-updater1[.]co.za cloud-server-updater18[.]co.za\r\ncloud-server-updater15[.]co.za cloud-server-updater27[.]co.za\r\ncloud-server-updater16[.]co.za cloud-server-updater28[.]co.za\r\nThese domains were created to distribute the Raccoon stealer. It is possible to establish the connection between\r\nthese domain batches by looking at SHA1: b326f9a6d6087f10ef3a9f554a874243f000549d and SHA1:\r\nF2B2F74F4572BF8BD2D948B34147FFE303F92A0F files. When executed, these files establish a network\r\nconnection to:\r\ncloudupdates[.]co.za\r\ncloud-server-updater2[.]co.za\r\nhttps://www.group-ib.com/blog/fakesecurity_raccoon\r\nPage 14 of 37\n\ncloud-server-updater19.co.za\r\nb326f9a6d6087f10ef3a9f554a874243f000549d file network communication established with the help of Group-IB\r\nGraph Network Analysis\r\nAbout 50 malicious files from public sources are related to the domain cloudupdates[.]co.za. Their first uploads\r\ndate back to April 30, 2020 and the domain is similar to the previously discovered cloudupdate.co[.]za. Besides\r\nhaving a similar domain name, it was registered through the cloud2m registrar and ns1.host-ww.net, ns2.host-ww.net as well as msupdater[.]co.za and cloudupdate[.]co.za\r\nWHOIS records data from three domains\r\nAbout 300 files from public sandboxes are associated with all the second-wave domains. All these files are lure\r\ndocuments containing malicious macros named “MyBankStatement_2436.xlsm“, MyBankStatement_3269.xlsm,\r\n“MyBankStatement_5763.xlsm“, etc.\r\nhttps://www.group-ib.com/blog/fakesecurity_raccoon\r\nPage 15 of 37\n\n6685955C5F006C2D83A92952EB5EB3FB9598C783 lure document sample\r\nOne of these files is “MyBank_5710.xlsm (SHA1: 685955C5F006C2D83A92952EB5EB3FB9598C783). After\r\nactivating the macros in this document, a file was downloaded from http://cloud-server-updater22[.]co.za/doc/officebuilder. This file with SHA1: 3657CF5F2142C7E30F72E231E87518B82710DC1C is\r\na Raccoon stealer. It connects to the C\u0026C server (35.228.95[.]80) to exfiltrate the collected information, using\r\nGoogle’s infrastructure to legitimize requests. In turn, Raccoon makes a network connection to http://cloud-server-updater1[.]co.za/doc/officeupdate.exe and downloads RAT AveMaria (SHA1:\r\na10925364347bde843a1d4105dddf4a4eb88c746), with the C\u0026C server located at the IP address\r\n102.130.118[.]152.\r\nAveMaria is a RAT, which was discovered by cybersecurity researchers in late 2018, when it was used to attack an\r\nItalian oil and gas company. The RAT is capable of:\r\nPrivilege escalation\r\nEnsuring persistence in the infected system\r\nInjecting code\r\nKeylogging\r\nGaining access to web camera\r\nManaging processes\r\nManaging files (creation, download, exfiltration, deletion)\r\nRDP using rdpwrap\r\nInfo-stealer support:\r\nGoogle Chrome\r\nFirefox\r\nhttps://www.group-ib.com/blog/fakesecurity_raccoon\r\nPage 16 of 37\n\nInternet Explorer\r\nOutlook\r\nThunderbird\r\nFoxmail\r\n6685955C5F006C2D83A92952EB5EB3FB9598C783 execution sequence\r\nWhen running, Raccoon makes the following network requests:\r\n3657CF5F2142C7E30F72E231E87518B82710DC1C network requests\r\nAmong these network requests, there is a connection to the blintick Telegram channel. Telegram was used by\r\nRaccoon’s creators to bypass blocking of the C\u0026C servers. To this end, the stealer makes a request to the\r\nTelegram channel and receives the encrypted address of the new C\u0026C server from the description. The first\r\nsamples using this technique began appearing on VirusTotal in late May 2020.\r\nhttps://www.group-ib.com/blog/fakesecurity_raccoon\r\nPage 17 of 37\n\nMessages from the designers of the Raccoon stealer\r\nTranslation\r\narrow_drop_down\r\nThe gate system has been updated. We have completely changed the traditional scheme. Detection decreases,\r\nkeepalives increase. Build has been updated. The screenshot format has been changed to jpeg. Thanks for your\r\nfeedback and support!\r\nhttps://www.group-ib.com/blog/fakesecurity_raccoon\r\nPage 18 of 37\n\nblintick Telegram channel and its description\r\nAlthough the Raccoon stealer is distributed according to the MaaS model, all files distributed during the\r\nsecond wave accessed the same Telegram channel. This suggests that documents with malicious macros\r\ndownloading Raccoon were distributed by the same group.\r\nThird wave\r\nThe third wave of domain registration began on June 29, 2020:\r\nmicrosoft-cloud1[.]co.za\r\nmicrosoft-cloud6[.]co.za\r\nmicrosoft-cloud7[.]co.za\r\nmicrosoft-cloud8[.]co.za\r\nmicrosoft-cloud9[.]co.za\r\nmicrosoft-cloud10[.]co.za\r\nhttps://www.group-ib.com/blog/fakesecurity_raccoon\r\nPage 19 of 37\n\nmicrosoft-cloud11[.]co.za\r\nmicrosoft-cloud12[.]co.za\r\nmicrosoft-cloud13[.]co.za\r\nmicrosoft-cloud14[.]co.za\r\nmicrosoft-cloud15[.]co.za\r\nAll registered domains pointed to the IP address 102.130.112[.]195. The first malicious files associated with this\r\nwave began to appear in public sandboxes as early as July 2, 2020. The names of these decoys are almost the same\r\nas the names of the files sent in the past: BankStatement0109_13169.xlsm, My_Statement_4211.xlsm, and so on.\r\nThere are about 30 files associated with the domains and cloud-server-updater1[.]co.za.\r\nNetwork infrastructure. File connections with domains involved in two waves established with the help of Group-IB Graph Network Analysis\r\nThe lure documents used as part of this wave look identical to the previous ones. Judging by their behavior after\r\nmacros are activated, they were created by the same builder. Such builders make it possible to create office\r\ndocuments with malicious macros based on templates, which helps attackers distribute malicious files much faster\r\nand more efficiently.\r\nhttps://www.group-ib.com/blog/fakesecurity_raccoon\r\nPage 20 of 37\n\n618C894C06633E3D7ADD228531F6E775A180A7F7 lure document sample\r\nUpon activating macros, the file “My_Statement_1953.xlsm” (SHA1:\r\n618C894C06633E3D7ADD228531F6E775A180A7F7) sends a request to download the stealer file\r\nhttp://microsoft-cloud13[.]co.za/msofficeupdate.exe. The Raccoon stealer file (SHA1:\r\n6639081791A8909F042E4A4197DF7051382B04E5) makes a series of requests to its C\u0026C server\r\n(35.198.88[.]195) and tries to download the file http://cloud-server-updater1[.]co.za/doc/officeupdate.exe, but\r\nreceives an “error 302” and is redirected to http://cloud-server-updater1[.]co.za/cgi-sys/suspendedpage.cgi\r\nbecause the original domain is blocked. It seems that the sample was trying to download RAT AveMaria as before.\r\nIn addition, all files related to this campaign made various network requests, including those to the Telegram\r\nchannel https://telete.in/blintick.\r\nhttps://www.group-ib.com/blog/fakesecurity_raccoon\r\nPage 21 of 37\n\n6639081791A8909F042E4A4197DF7051382B04E5 Raccoon stealer network communication\r\nUsing loaders\r\nhttps://www.group-ib.com/blog/fakesecurity_raccoon\r\nPage 22 of 37\n\nDuring this campaign, the attackers also experimented with various loaders. While analyzing the\r\ninfrastructure, we discovered the Buer and Smoke loaders.\r\nOn April 30, 2020, an xls document (SHA1: 6c6680659b09d18ccab0f933daf5bf1910168b1a) was uploaded to\r\nVirusTotal. When the malicious code is executed, it downloads the payload from http://cloud-server-updater2.co[.]za/doc/buer.exe.\r\nSHA1:6c6680659b09d18ccab0f933daf5bf1910168b1a file network communication established with the help of\r\nGroup-IB Graph Network Analysis\r\nApart from that, the files were uploaded to a public resource: bazaar.abuse[.]ch.\r\nThe file names and the tags attached refer to the Buer loader.\r\nWhile monitoring the adversary infrastructure, we identified a batch of domains registered by the attackers\r\nbetween August 24 and September 12, 2020. Examples of such domains are presented below:\r\nDomain name Registration date IP address\r\ncode-cloud[1-6][.]co.za 08/24/2020 102.130.115.44\r\ngoogle-document[.]co.za 08/24/2020 102.130.115.44\r\nazure-cloud[1-4][.]co.za 09/04/2020 102.130.119.232\r\nazure-cloud[1-3].web.za 09/04/2020 102.130.119.232\r\nupdateadobeonline[.]co.za 09/08/2020 102.130.115.44\r\nupdateforadobenew[.]co.za 09/09/2020 102.130.118.209\r\noneupdateadobe[1-4][.]co.za 09/09/2020 102.130.118.209\r\nhttps://www.group-ib.com/blog/fakesecurity_raccoon\r\nPage 23 of 37\n\nDomain name Registration date IP address\r\nupdateadobe[.]co.za 09/12/2020 102.130.121.74\r\nSimilar WHOIS domain records\r\nThe WHOIS records for these domains match the WHOIS records for those discovered previously in this\r\ncampaign. On August 26, 2020, malicious files related to the domains code-cloud[1-6][.]co.za and google-document[.]co.za began appearing on public resources. One of these files is “BankStatement_1390868739.doc”\r\n(SHA1: ed5c20371bae393df0a713be72220b055e5cbdad).\r\nSHA1: ed5c20371bae393df0a713be72220b055e5cbdad file network communication established with the help of\r\nGroup-IB Graph Network Analysis\r\nWhen the malicious code is executed, the file downloads the payload from http://google-document[.]co.za/doc/loader.exe. Signature analysis showed that the downloaded file is a Smoke loader sample.\r\nhttps://www.group-ib.com/blog/fakesecurity_raccoon\r\nPage 24 of 37\n\n“loader.exe” file analysis and Smoke loader tag\r\nThe fact that the cybercriminals additionally use loaders in their campaigns could indicate that they are\r\nstill searching for the most effective tools.\r\nFourth wave\r\nSome of the domains registered in early September 2020 mimicked Adobe in their names. From September 14,\r\n2020, Group-IB experts found Mephistophilus with an identical pattern on these hosts, just like during the first\r\nwave.\r\nhttps://www.group-ib.com/blog/fakesecurity_raccoon\r\nPage 25 of 37\n\nConnection between the Mephistophilus infrastructure and the 2019 and 2020 campaigns established with the help\r\nof Group-IB Graph Network Analysis\r\nScreenshot of a Mephistophilus decoy page\r\nhttps://www.group-ib.com/blog/fakesecurity_raccoon\r\nPage 26 of 37\n\nClicking on the “Download” plugin button downloads the Raccoon stealer file SHA1:\r\nbcfb45e5451435530156f1f02ddbb9cadf6338e9 from https://updateforadobenew[.]co.za/file_d/adobe-reader-v13.11.1.3.exe.\r\nData from Group-IB Managed XDR Polygon\r\nMITRE ATT\u0026CK matrix of the file analyzed\r\nNote: Around mid-July 2020, the attackers deleted their Telegram channel. It was restored on September 14, 2020\r\nand the description contained the encrypted address of the active C\u0026C server. At the time of writing, the channel\r\nis inactive again.\r\nhttps://www.group-ib.com/blog/fakesecurity_raccoon\r\nPage 27 of 37\n\nblintick Telegram channel content\r\nRelation to FakeSecurity\r\nThis malicious campaign bears a striking resemblance to a series of FakeSecurity JS-sniffer attacks\r\ndescribed by Group-IB in November 2019. Past attacks targeted owners of online stores powered by Magento\r\nCMS. In the campaign described previously, the attackers also used such tools as the Vidar stealer and the\r\nMephistophilus phishing kit, with an identical template for Adobe updates. In addition, the attackers used the same\r\nhosting service to register domains in both campaigns.\r\nIn the 2020 campaign, the same attack vector was used and involved subsequent distribution of the\r\nRaccoon stealer. In addition, the investigation revealed messages sent to several online stores from\r\nbezco.quise1988@wp.pl and outtia.lene1985@wp.pl.\r\nA detailed analysis of the first-wave malware distribution via Mephistophilus phishing pages revealed a link\r\nbetween the domains involved in this campaign (in particular documents-cloud-server*[.]co.za) and the\r\nFakeSecurity campaign. During the 2020 campaign, phishing pages were available at the following URLs:\r\nhttps://www.group-ib.com/blog/fakesecurity_raccoon\r\nPage 28 of 37\n\nList of domains with an identical structure\r\nAccording to urlscan[.]io, more than 20 sites with a similar structure were discovered, but the one that stands out\r\nis alloaypparel[.]com. It was used in the FakeSecurity campaign.\r\nSince March 2020, Group-IB specialists have started detecting online store infections with a JS sniffer obfuscated\r\nby the aaencode algorithm (https://utf-8.jp/public/aaencode.html). The malware was loaded from get-js[.]com.\r\nWHOIS records similar to those used previously by this group were located at get-js[.]com:\r\nfiswedbesign[.]com\r\nalloaypparel[.]com\r\nfirstofbanks[.]com\r\nmagento-security[.]org\r\nmage-security[.]org\r\nhttps://www.group-ib.com/blog/fakesecurity_raccoon\r\nPage 29 of 37\n\nConnection between FakeSecutiry infrastructure during the 2019 campaign and the domain get-js[.]com built with\r\nthe help of Group-IB Graph Network Analysis\r\nPart of JS-sniffer code obfuscated with aaencode\r\nAfter deobfuscating it, Group-IB established that the malware used for infections was a modified version of\r\nthe FakeSecurity JS-sniffer. Its distribution was analyzed in November 2019.\r\nhttps://www.group-ib.com/blog/fakesecurity_raccoon\r\nPage 30 of 37\n\nDeobfuscated code of the FakeSecurity JS-sniffer modified version\r\nIn May 2020, Group-IB discovered new infected online stores. Once again, the attackers used a modified\r\nFakeSecurity JS-sniffer obfuscated with aaencode. The malware was injected either by a link using a script tag or\r\nby modifying existing JavaScript files on the site. The JS-sniffer was used to compromise over 20 online stores\r\nbetween May and September 2020. The following domains were used to store the code and collect stolen bank\r\ncard data during the new campaign:\r\ncloud-js[.]co.za\r\nhost-js[.]co.za\r\nmagento-cloud[.]co.za\r\nmagento-js[.]co.za\r\nmagento-security[.]co.za\r\nmarketplace-magento[.]co.za\r\nmarketplacemagento[.]co.za\r\nnode-js[.]co.za\r\nnode-js[.]co.za\r\npayment-js[.]co.za\r\nsecurity-js[.]co.za\r\nhttps://www.group-ib.com/blog/fakesecurity_raccoon\r\nPage 31 of 37\n\nweb-js[.]co.za\r\nCreated on April 24, 2020 (during the second wave), these domains were registered with the same registrars as\r\nthose used to distribute the Vidar and Raccoon stealers and the Buer and Smoke loaders.\r\nThe format of the links to the JS-sniffer files combined with the malware family type suggest that\r\nFakeSecurity JS-sniffer operators are behind the campaign to infect online stores.\r\nIn addition, some domains involved in the campaign under investigation hosted a parked page labeled “test page”,\r\nlike the one hosted on FakeSecurity domains:\r\nhttps://urlscan.io/result/0299b3e5-cbba-40be-adce-7ba437e4cb39/ microsoft-cloud10[.]co.za\r\nhttps://urlscan.io/result/8f244d1b-2186-4db5-9c52-6122584dafa9/ – documents-cloud-server[.]co.za\r\nExamples of similar parked pages on JS-sniffer FakeSecurity's gate and domains in co.za zone\r\nExamples of similar parked pages on JS-sniffer FakeSecurity's gate and domains in co.za zone\r\nhttps://www.group-ib.com/blog/fakesecurity_raccoon\r\nPage 32 of 37\n\nExamples of similar parked pages on JS-sniffer FakeSecurity's gate and domains in co.za zone\r\nThe evidence found indicates that the operators of the FakeSecurity JS-sniffer family are likely to be\r\nbehind the multi-stage malicious campaign described above. According to our information, even though the\r\ngroup gains initial access using non-self-developed tools sold or rented on darknet forums, it continues to operate\r\nits exclusive JS-sniffer.\r\nRecommendations\r\nBelow you can see attackers’ TTPs and relevant mitigation and defense techniques in accordance with MITRE\r\nATT\u0026CK and MITRE Shield that we recommend to use to protect against and prevent cyberattacks.\r\nAll the mitigation and defense techniques are implemented in Group-IB’s products intended for the protection\r\nagainst cyberattacks at early stages. If you have any questions or suspect that you’re being attacked email us at\r\nresponse@cert-gib.com.\r\nhttps://www.group-ib.com/blog/fakesecurity_raccoon\r\nPage 33 of 37\n\nIndicators\r\nRaccoon\r\narrow_drop_down\r\ncloud-server-updater[.]co.za\r\ncloud-server-updater1[.]co.za\r\ncloud-server-updater2[.]co.za\r\ncloud-server-updater3[.]co.za\r\ncloud-server-updater4[.]co.za\r\nhttps://www.group-ib.com/blog/fakesecurity_raccoon\r\nPage 34 of 37\n\ncloud-server-updater5[.]co.za\r\ncloud-server-updater6[.]co.za\r\ncloud-server-updater7[.]co.za\r\ncloud-server-updater8[.]co.za\r\ncloud-server-updater9[.]co.za\r\ncloud-server-updater10[.]co.za\r\ncloud-server-updater11[.]co.za\r\ncloud-server-updater12[.]co.za\r\ncloud-server-updater13[.]co.za\r\ncloud-server-updater14[.]co.za\r\ncloud-server-updater15[.]co.za\r\ncloud-server-updater16[.]co.za\r\ncloud-server-updater17[.]co.za\r\ncloud-server-updater18[.]co.za\r\ncloud-server-updater19[.]co.za\r\ncloud-server-updater20[.]co.za\r\ncloud-server-updater21[.]co.za\r\ncloud-server-updater22[.]co.za\r\ncloud-server-updater23[.]co.za\r\ncloud-server-updater24[.]co.za\r\ncloud-server-updater25[.]co.za\r\ncloud-server-updater26[.]co.za\r\ncloud-server-updater27[.]co.za\r\ncloud-server-updater28[.]co.za\r\n35.228.95[.]80\r\n35.198.88[.]195\r\n34.105.255[.]170\r\n102.130.113[.]55\r\n34.105.219[.]83\r\noneupdateadobe[.]co.za\r\noneupdateadobe2[.]co.za\r\noneupdateadobe3[.]co.za\r\noneupdateadobe4[.]co.za\r\nupdateforadobenew[.]co.za\r\noneupdateadobe[.]org.za\r\noneupdateadobe2[.]org.za\r\noneupdateadobe3[.]org.za\r\nmicrosoft-cloud1[.]co.za\r\nmicrosoft-cloud6[.]co.za\r\nmicrosoft-cloud7[.]co.za\r\nmicrosoft-cloud8[.]co.za\r\nmicrosoft-cloud9[.]co.za\r\nhttps://www.group-ib.com/blog/fakesecurity_raccoon\r\nPage 35 of 37\n\nmicrosoft-cloud10[.]co.za\r\nmicrosoft-cloud11[.]co.za\r\nmicrosoft-cloud12[.]co.za\r\nmicrosoft-cloud13[.]co.za\r\nmicrosoft-cloud14[.]co.za\r\nmicrosoft-cloud15[.]co.za\r\ncloudupdates[.]co.za\r\nFakeSecurity\r\narrow_drop_down\r\ncloud-js[.]co.za\r\nhost-js[.]co.za\r\nmagento-cloud[.]co.za\r\nmagento-js[.]co.za\r\nmagento-security[.]co.za\r\nmarketplace-magento[.]co.za\r\nmarketplacemagento[.]co.za\r\nnode-js[.]co.za\r\nnode-js[.]co.za\r\npayment-js[.]co.za\r\nsecurity-js[.]co.za\r\nweb-js[.]co.za\r\nMephistophilus\r\narrow_drop_down\r\ndocuments-cloud-server1[.]co.za\r\ndocuments-cloud-server2[.]co.za\r\ndocuments-cloud-server3[.]co.za\r\ndocuments-cloud-server4[.]co.za\r\ndocuments-cloud-server6[.]co.za\r\ndocuments-cloud-server7[.]co.za\r\ndocuments-cloud-server8[.]co.za\r\ndocuments-cloud-server9[.]co.za\r\ndocuments-cloud-server[.]co.za\r\noneupdateadobe[.]co.za\r\noneupdateadobe2[.]co.za\r\noneupdateadobe3[.]co.za\r\noneupdateadobe4[.]co.za\r\nupdateforadobenew[.]co.za\r\noneupdateadobe[.]org.za\r\nhttps://www.group-ib.com/blog/fakesecurity_raccoon\r\nPage 36 of 37\n\noneupdateadobe2[.]org.za\r\noneupdateadobe3[.]org.za\r\noneupdateadobe3[.]com\r\nVidar and other malicious domains\r\narrow_drop_down\r\nbadlandsparks.com\r\ngineuter.info\r\npaunsaugunt.com\r\nprecambrianera.com\r\nbiscayneinn.com\r\nmsupdater[.]co.za\r\ncloudupdate[.]co.za\r\ncloudupdates[.]co.za\r\nsecuritycloudserver[.]co.za\r\nfastandprettycleaner[.]hk\r\ndownload-plugin[.]co.za\r\ndownload-plugins[.]co.za\r\ndownloadplugins[.]co.za\r\ncode-cloud1[.]co.za\r\ncode-cloud2[.]co.za\r\ncode-cloud3[.]co.za\r\ncode-cloud4[.]co.za\r\ncode-cloud5[.]co.za\r\ncode-cloud6[.]co.za\r\ngoogle-document[.]co.za\r\nazure-cloud1[.]co.za\r\nazure-cloud2[.]co.za\r\nazure-cloud3[.]co.za\r\nazure-cloud4.]co.za\r\nazure-cloud1.web.za\r\nazure-cloud2.web.za\r\nazure-cloud3].web.za\r\nUpdateadobeonline[.]co.za\r\nSource: https://www.group-ib.com/blog/fakesecurity_raccoon\r\nhttps://www.group-ib.com/blog/fakesecurity_raccoon\r\nPage 37 of 37",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.group-ib.com/blog/fakesecurity_raccoon"
	],
	"report_names": [
		"fakesecurity_raccoon"
	],
	"threat_actors": [],
	"ts_created_at": 1778121832,
	"ts_updated_at": 1778121850,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/83070f8124b63879216b4522c1d2f848f3ff0673.pdf",
		"text": "https://archive.orkl.eu/83070f8124b63879216b4522c1d2f848f3ff0673.txt",
		"img": "https://archive.orkl.eu/83070f8124b63879216b4522c1d2f848f3ff0673.jpg"
	}
}