The footprints of Raccoon: a story about operators of JS-sniffer FakeSecurity distributing Raccoon stealer

07.12.2020

The footprints of Raccoon: a story about operators of JS-sniffer FakeSecurity distributing Raccoon stealer

Nikita Rostovcev

Threat Intelligence & Attribution analyst at Group-IB

Introduction

In the summer of 2020, Group-IB specialists discovered a malware distribution campaign exploiting Telegram's legitimate features. Analysis showed that the attackers used the technique to distribute Raccoon stealer, i.e. malware spread through the Malware-as-a-Service model on one of darknet forums. They, in particular, used Telegram channels in order to bypass blocking of active C&C servers.

Raccoon Stealer collects system information, account data, bank card data, and autofill form details from browsers (Google Chrome, Mozilla Firefox, Opera, etc.). What's more, Raccoon Stealer scans the infected device for information about valid crypto wallets. If successful, it gains access to configuration files.

Ad of Raccoon stealer on one of underground forums (translation is provided below)

Translation:
Raccoon Stealer. We steal, You deal!
Our team proudly presents the result of many months of work.
Stealing logs has never been so easy and straightforward and sorting them as never been so fast and comfortable. We deal with all the frustrating, time-consuming, and tedious issues so that you can focus on what's important: increasing your revenue.
Forget about routing and maintaining servers, assembling builds, and other problems. We've gone automatic — all you need is a few clicks.
Our specialists work in three areas: software, front-end, and back-end. It helps us focus on specific goals and release a complete product.
New software:

Exclusive code. Unique build
C/C++ stealer with enhanced performance
Excellent signal for each entry; only some antivirus software detects Raccoon during dynamic testing
Raccoon collects passwords, cookies, autofill data from all popular browsers (including FireFox x64), CC data, system information, and almost all types of desktop crypto wallets
Embedded downloader
Compatible with x32 and x64 operating systems regardless of .NET
You get an easy-to-encrypt Native x86 executable file
Private key, gate address, and other string values are heavily encrypted

During research, Group-IB Threat Intelligence & Attribution experts established links with other elements of the threat actors' infrastructure and recreated the malicious campaign timeline. The campaign was divided into four stages based on the tools used (type of malware, registrars for creating infrastructure, etc.):

● First wave: February 19 to March 5 2020

● Second wave: March 13 to May 22, 2020

● Third wave: June 29 to July 2, 2020

● Fourth wave: August 24 to September 12, 2020

Most domains related to the investigated campaign were registered with two registrars: Cloud2m and Host Africa. Cloud2m was used in earlier attacks. In mid-July 2020, some of these domains moved to Host Africa.

Timeline of FakeSecurity's malicious campaign from February to September 2020

Group-IB experts concluded that the purpose of the campaign in question was to steal payment and user data. The attackers used several attack vectors and tools to deliver the malware.

It was also discovered that in early 2020, before distributing the Raccoon stealer, the attackers had distributed samples of another stealer called Vidar. To do so, they used attachments with malicious macros and phishing pages created with the Mephistophilus phishing kit.

Infection pattern in the malicious campaigns of hacker group FakeSecurity

This malware distribution technique reminded Group-IB experts of the pattern used by FakeSecurity JS-sniffer operators during the campaign described in November 2019. Apart from having similar toolkits, both series of attacks targeted e-commerce. In May 2020, Group-IB identified online stores that had been infected with a modified JS-sniffer of the FakeSecurity family. The JS-sniffer was obfuscated using the aaencode algorithm, while the domains used to store the code and collect stolen bank card data were registered during the second wave with the same registrars as the domains that we discovered while investigating the malicious campaign. As such, it can be assumed that FakeSecurity JS-sniffer operators were behind the stealer distribution campaign.

Domain infrastructure of FakeSecurity's malicious campaigns

First wave

The first wave of domain registrations began in the co.za zone on February 19, 2020. The suspicious domains contained the following keywords: cloud, document, and Microsoft. Examples of domains registered during the first wave are presented below:

As part of the campaign's first wave, the initial compromise vector used: (i) mailings with attachments containing malicious macros and (ii) phishing pages leading to malware downloading.

Documents with macros

On February 28, nine days after the first domain was registered, the file "Bank001.xlsm" (SHA1: b1799345152f0f11a0a573b91093a1867d64e119) was uploaded to VirusTotal via a US web interface.

SHA1: b1799345152f0f11a0a
573b91093a1867d64e119 lure document. Alert says: "SECURITY WARNING. Macros have been disabled. "Enable content.""

The file is a lure document with malicious macros. When activated, it downloads a payload from http://cloudupdate.co[.]za/documents/msofficeupdate.exe.

Malicious macros contained in lure document and partially obfuscated in Base64

As a result, the file "msofficeupdate.exe" (SHA1: f3498ba783b9c8c84d754af8a687d2ff189615d9) is executed. The C&C server in this case is badlandsparks[.]com. This domain was registered on February 27, 2020 and is associated with the IP address 185.244.149[.]100. More than 30 files connect to this domain alone.

Infrastructure relating to the domain badlandsparks[.]com established with the help of Group-IB Graph Network Analysis

These files include "13b7afe8ee87977ae34734812482ca7efd62b9b6" and "596a3cb4d82e6ab4d7223be640f614b0f7bd14af". They create a network connection to gineuter[.]info, fastandprettycleaner[.]hk and badlandsparks[.]com. Judging by the requests they make to download libraries and open source data, the file "msofficeupdate.exe" and others like it are samples of the Vidar stealer. Criminals use the stealer to collect data from browsers (including web browsing history and account data), bank card data, crypto wallet files, messages, and more.

Vidar stealer admin panel

SHA1: 596a3cb4d82e6ab4d
7223be640f614b0f7bd14af file network communication built with the help of Group-IB Graph Network Analysis

A list of Vidar-specific HTTP requests and a detailed overview are available here:


/ (i.e 162)    <- Config
ip-api.com/line/    <- Get Network Info
/msvcp140.dll       <- Required DLL
/nss3.dll           <- Required DLL
/softokn3.dll       <- Required DLL
/vcruntime140.dll   <- Required DLL
/                   <- Pushing Victim Archive to C2

The file "BankStatement1.xlsm" (SHA1: c2f8d217877b1a28e4951286d3375212f8dc2335) is another lure document with malicious macros. When activated, it downloads the file from http://download-plugin[.]co.za/documents/msofficeupdate.exe.

The download file SHA1: 430a406f2134b48908363e473dd6da11a172a7e1 is also a Vidar stealer. The file is available for download here:

• http://download-plugin.co[.]za/documents/msofficeupdate.exe
• http://msupdater.co[.]za/documents/msofficeupdate.exe
• http://cloudupdate.co[.]za/documents/msofficeupdate.exe

Example of 430a406f2134b4890
8363e473dd6da11a172a7e1 file availability from different sources

Mephistophilus phishing kit

The second attack vector during the first wave was the use of phishing pages to distribute malware.

It turned out that the discovered domains (msupdater[.]co.za, cloudupdate[.]co.za and documents-cloud-server[.]co.za) had the same A record created at the same time: 160.119.253[.]53. According to Group-IB's Graph Network Analysis, documents-cloud-server[.]co.za contained the Mephistophilus phishing kit.

Links between domains under review established with the help of Group-IB Graph Network Analysis

From the start, Mephistophilus has been presented as a system for targeted phishing attacks. This phishing kit contains several fake web page templates for delivering payload, including:

• Microsoft Office 365, Word, and Excel online viewers
• PDF online viewer
• YouTube phishing page

Mephistophilus admin panel

Fake Adobe Reader update window

The documents-cloud-server[.]co.za domain contains a web fake imitating an Adobe Reader plugin update page. To continue viewing the document, the user is asked to download a plugin. By clicking on "Download plugin," the user activates a malware download from http://www.documents-cloud-server[.]co.za/file_d/adobe-reader-update-10.21.01.exe. Source code of phishing content is available here.

A file with the same name "adobe-reader-update-10.21.01.exe" (SHA1: f33c1f0930231fe6f5d0f00978188857cbb0e90d) was first uploaded to VirusTotal on March 13, 2020. It was available for download here:

• http://documents-cloud-server5[.]co.za/file_d/adobe-reader-update-10.21.01.exe
• http://documents-cloud-server1[.]co.za/file_d/adobe-reader-update-10.21.01.exe
• http://www.documents-cloud-server9[.]co.za/file_d/adobe-reader-update-10.21.01.exe
• http://documents-cloud-server8[.]co.za/file_d/adobe-reader-update-10.21.01.exe

Example of f33c1f0930231fe6f5d0
f00978188857cbb0e90d file availability from different sources

Another file named "msofficeupdater.exe" (SHA1: bdfefdff7b755a89d60de22309da72b82df70ecb) was available for download here:

• http://www.documents-cloud-server7[.]co.za/doc/msofficeupdater.exe
• http://documents-cloud-server5[.]co.za/doc/msofficeupdater.exe
• http://documents-cloud-server7[.]co.za/doc/msofficeupdater.exe
• http://www.documents-cloud-server6[.]co.za/doc/msofficeupdater.exe
• http://documents-cloud-server1[.]co.za/doc/msofficeupdater.exe
• http://documents-cloud-server6[.]co.za/doc/msofficeupdater.exe
• http://www.documents-cloud-server5[.]co.za/doc/msofficeupdater.exe
• http://www.documents-cloud-server1[.]co.za/doc/msofficeupdater.exe

Example of bdfefdff7b755a89d60de22309da72b82df70ecb file availability from different sources

Second wave

The domains associated with the file SHA1: bdfefdff7b755a89d60de22309da72b82df70ecb led us to another batch of domains related to the attackers' infrastructure. The domains were registered in two stages: the first batch on March 13, 2020 and the second one on May 22, 2020. Examples of second-wave domains:

These domains were created to distribute the Raccoon stealer. It is possible to establish the connection between these domain batches by looking at SHA1: b326f9a6d6087f10ef3a9f554a874243f000549d and SHA1: F2B2F74F4572BF8BD2D948B34147FFE303F92A0F files. When executed, these files establish a network connection to:

• cloudupdates[.]co.za
• cloud-server-updater2[.]co.za
• cloud-server-updater19.co.za

b326f9a6d6087f10ef3
a9f554a874243f000549d file network communication established with the help of Group-IB Graph Network Analysis

About 50 malicious files from public sources are related to the domain cloudupdates[.]co.za. Their first uploads date back to April 30, 2020 and the domain is similar to the previously discovered cloudupdate.co[.]za. Besides having a similar domain name, it was registered through the cloud2m registrar and ns1.host-ww.net, ns2.host-ww.net as well as msupdater[.]co.za and cloudupdate[.]co.za

WHOIS records data from three domains

About 300 files from public sandboxes are associated with all the second-wave domains. All these files are lure documents containing malicious macros named "MyBankStatement_2436.xlsm", MyBankStatement_3269.xlsm, "MyBankStatement_5763.xlsm", etc.

6685955C5F006C2D
83A92952EB5EB3FB
9598C783 lure document sample

One of these files is "MyBank_5710.xlsm (SHA1: 685955C5F006C2D83A92952EB5EB3FB9598C783). After activating the macros in this document, a file was downloaded from http://cloud-server-updater22[.]co.za/doc/officebuilder. This file with SHA1: 3657CF5F2142C7E30F72E231E87518B82710DC1C is a Raccoon stealer. It connects to the C&C server (35.228.95[.]80) to exfiltrate the collected information, using Google's infrastructure to legitimize requests. In turn, Raccoon makes a network connection to http://cloud-server-updater1[.]co.za/doc/officeupdate.exe and downloads RAT AveMaria (SHA1: a10925364347bde843a1d4105dddf4a4eb88c746), with the C&C server located at the IP address 102.130.118[.]152.

AveMaria is a RAT, which was discovered by cybersecurity researchers in late 2018, when it was used to attack an Italian oil and gas company. The RAT is capable of:

Privilege escalation
Ensuring persistence in the infected system
Injecting code
Keylogging
Gaining access to web camera
Managing processes
Managing files (creation, download, exfiltration, deletion)
RDP using rdpwrap
Info-stealer support:

- Google Chrome
- Firefox
- Internet Explorer
- Outlook
- Thunderbird
- Foxmail

6685955C5F006C2D
83A92952EB5EB3FB
9598C783 execution sequence

When running, Raccoon makes the following network requests:

3657CF5F2142C7E30
F72E231E87518B827
10DC1C network requests

Among these network requests, there is a connection to the blintick Telegram channel. Telegram was used by Raccoon's creators to bypass blocking of the C&C servers. To this end, the stealer makes a request to the Telegram channel and receives the encrypted address of the new C&C server from the description. The first samples using this technique began appearing on VirusTotal in late May 2020.

Messages from the designers of the Raccoon stealer

Translation:
The gate system has been updated. We have completely changed the traditional scheme. Detection decreases, keepalives increase. Build has been updated. The screenshot format has been changed to jpeg. Thanks for your feedback and support!

blintick Telegram channel and its description

Although the Raccoon stealer is distributed according to the MaaS model, all files distributed during the second wave accessed the same Telegram channel. This suggests that documents with malicious macros downloading Raccoon were distributed by the same group.

Third wave

The third wave of domain registration began on June 29, 2020:

• microsoft-cloud1[.]co.za
• microsoft-cloud6[.]co.za
• microsoft-cloud7[.]co.za
• microsoft-cloud8[.]co.za
• microsoft-cloud9[.]co.za
• microsoft-cloud10[.]co.za
• microsoft-cloud11[.]co.za
• microsoft-cloud12[.]co.za
• microsoft-cloud13[.]co.za
• microsoft-cloud14[.]co.za
• microsoft-cloud15[.]co.za

All registered domains pointed to the IP address 102.130.112[.]195. The first malicious files associated with this wave began to appear in public sandboxes as early as July 2, 2020. The names of these decoys are almost the same as the names of the files sent in the past: BankStatement0109_13169.xlsm, My_Statement_4211.xlsm, and so on. There are about 30 files associated with the domains and cloud-server-updater1[.]co.za.

Network infrastructure. File connections with domains involved in two waves established with the help of Group-IB Graph Network Analysis

The lure documents used as part of this wave look identical to the previous ones. Judging by their behavior after macros are activated, they were created by the same builder. Such builders make it possible to create office documents with malicious macros based on templates, which helps attackers distribute malicious files much faster and more efficiently.

618C894C06633E3D7
ADD228531F6E775A1
80A7F7 lure document sample

Upon activating macros, the file "My_Statement_1953.xlsm" (SHA1: 618C894C06633E3D7ADD228531F6E775A180A7F7) sends a request to download the stealer file http://microsoft-cloud13[.]co.za/msofficeupdate.exe. The Raccoon stealer file (SHA1: 6639081791A8909F042E4A4197DF7051382B04E5) makes a series of requests to its C&C server (35.198.88[.]195) and tries to download the file http://cloud-server-updater1[.]co.za/doc/officeupdate.exe, but receives an "error 302" and is redirected to http://cloud-server-updater1[.]co.za/cgi-sys/suspendedpage.cgi because the original domain is blocked. It seems that the sample was trying to download RAT AveMaria as before. In addition, all files related to this campaign made various network requests, including those to the Telegram channel https://telete.in/blintick.

6639081791A8909F0
42E4A4197DF70513
82B04E5 Raccoon stealer network communication

Using loaders

During this campaign, the attackers also experimented with various loaders. While analyzing the infrastructure, we discovered the Buer and Smoke loaders.

On April 30, 2020, an xls document (SHA1: 6c6680659b09d18ccab0f933daf5bf1910168b1a) was uploaded to VirusTotal. When the malicious code is executed, it downloads the payload from http://cloud-server-updater2.co[.]za/doc/buer.exe.

SHA1:6c6680659b09
d18ccab0f933daf5bf1
910168b1a file network communication established with the help of Group-IB Graph Network Analysis

Apart from that, the files were uploaded to a public resource: bazaar.abuse[.]ch.

The file names and the tags attached refer to the Buer loader.

SHA1:7b1a5d9bb21d8
52a6dbf3146fabb1cd1
ca276ed9 file network communication

While monitoring the adversary infrastructure, we identified a batch of domains registered by the attackers between August 24 and September 12, 2020. Examples of such domains are presented below:

Similar WHOIS domain records

The WHOIS records for these domains match the WHOIS records for those discovered previously in this campaign. On August 26, 2020, malicious files related to the domains code-cloud[1-6][.]co.za and google-document[.]co.za began appearing on public resources. One of these files is "BankStatement_1390868739.doc" (SHA1: ed5c20371bae393df0a713be72220b055e5cbdad).

SHA1: ed5c20371bae393df0
a713be72220b055e5cbdad file network communication established with the help of Group-IB Graph Network Analysis

When the malicious code is executed, the file downloads the payload from http://google-document[.]co.za/doc/loader.exe. Signature analysis showed that the downloaded file is a Smoke loader sample.

"loader.exe" file analysis and Smoke loader tag

The fact that the cybercriminals additionally use loaders in their campaigns could indicate that they are still searching for the most effective tools.

Fourth wave

Some of the domains registered in early September 2020 mimicked Adobe in their names. From September 14, 2020, Group-IB experts found Mephistophilus with an identical pattern on these hosts, just like during the first wave.

Connection between the Mephistophilus infrastructure and the 2019 and 2020 campaigns established with the help of Group-IB Graph Network Analysis

Screenshot of a Mephistophilus decoy page

Clicking on the "Download" plugin button downloads the Raccoon stealer file SHA1: bcfb45e5451435530156f1f02ddbb9cadf6338e9 from https://updateforadobenew[.]co.za/file_d/adobe-reader-v13.11.1.3.exe.

Data from Group-IB Threat Hunting Framework Polygon

MITRE ATT&CK matrix of the file analyzed

Note: Around mid-July 2020, the attackers deleted their Telegram channel. It was restored on September 14, 2020 and the description contained the encrypted address of the active C&C server. At the time of writing, the channel is inactive again.

blintick Telegram channel content

Relation to FakeSecurity

This malicious campaign bears a striking resemblance to a series of FakeSecurity JS-sniffer attacks described by Group-IB in November 2019. Past attacks targeted owners of online stores powered by Magento CMS. In the campaign described previously, the attackers also used such tools as the Vidar stealer and the Mephistophilus phishing kit, with an identical template for Adobe updates. In addition, the attackers used the same hosting service to register domains in both campaigns.

In the 2020 campaign, the same attack vector was used and involved subsequent distribution of the Raccoon stealer. In addition, the investigation revealed messages sent to several online stores from bezco.quise1988@wp.pl and outtia.lene1985@wp.pl.

A detailed analysis of the first-wave malware distribution via Mephistophilus phishing pages revealed a link between the domains involved in this campaign (in particular documents-cloud-server*[.]co.za) and the FakeSecurity campaign. During the 2020 campaign, phishing pages were available at the following URLs:

List of domains with an identical structure

According to urlscan[.]io, more than 20 sites with a similar structure were discovered, but the one that stands out is alloaypparel[.]com. It was used in the FakeSecurity campaign.

Since March 2020, Group-IB specialists have started detecting online store infections with a JS sniffer obfuscated by the aaencode algorithm (https://utf-8.jp/public/aaencode.html). The malware was loaded from get-js[.]com. WHOIS records similar to those used previously by this group were located at get-js[.]com:

● fiswedbesign[.]com
● alloaypparel[.]com
● firstofbanks[.]com
● magento-security[.]org
● mage-security[.]org

Connection between FakeSecutiry infrastructure during the 2019 campaign and the domain get-js[.]com built with the help of Group-IB Graph Network Analysis

Part of JS-sniffer code obfuscated with aaencode

After deobfuscating it, Group-IB established that the malware used for infections was a modified version of the FakeSecurity JS-sniffer. Its distribution was analyzed in November 2019.

Deobfuscated code of the FakeSecurity JS-sniffer modified version

In May 2020, Group-IB discovered new infected online stores. Once again, the attackers used a modified FakeSecurity JS-sniffer obfuscated with aaencode. The malware was injected either by a link using a script tag or by modifying existing JavaScript files on the site. The JS-sniffer was used to compromise over 20 online stores between May and September 2020. The following domains were used to store the code and collect stolen bank card data during the new campaign:

• cloud-js[.]co.za
• host-js[.]co.za
• magento-cloud[.]co.za
• magento-js[.]co.za
• magento-security[.]co.za
• marketplace-magento[.]co.za
• marketplacemagento[.]co.za
• node-js[.]co.za
• node-js[.]co.za
• payment-js[.]co.za
• security-js[.]co.za
• web-js[.]co.za

Created on April 24, 2020 (during the second wave), these domains were registered with the same registrars as those used to distribute the Vidar and Raccoon stealers and the Buer and Smoke loaders.

The format of the links to the JS-sniffer files combined with the malware family type suggest that FakeSecurity JS-sniffer operators are behind the campaign to infect online stores.

In addition, some domains involved in the campaign under investigation hosted a parked page labeled "test page", like the one hosted on FakeSecurity domains:

• https://urlscan.io/result/0299b3e5-cbba-40be-adce-7ba437e4cb39/ microsoft-cloud10[.]co.za
• https://urlscan.io/result/8f244d1b-2186-4db5-9c52-6122584dafa9/ - documents-cloud-server[.]co.za

Examples of similar parked pages on JS-sniffer FakeSecurity's gate and domains in co.za zone

The evidence found indicates that the operators of the FakeSecurity JS-sniffer family are likely to be behind the multi-stage malicious campaign described above. According to our information, even though the group gains initial access using non-self-developed tools sold or rented on darknet forums, it continues to operate its exclusive JS-sniffer.

Recommendations

Below you can see attackers' TTPs and relevant mitigation and defense techniques in accordance with MITRE ATT&CK and MITRE Shield that we recommend to use to protect against and prevent cyberattacks.

All the mitigation and defense techniques are implemented in Group-IB's products intended for the protection against cyberattacks at early stages. If you have any questions or suspect that you're being attacked email us at response@cert-gib.com.

Lear more about Group-IB's Security Assessment, Managed Extended Detection and Response, Threat Intelligence, Cyber Education, Red Teaming, Incident Response, and Fraud Protection on our website.

Indicators