Tag Archive for: malware

Navigating the Resurgence of Raccoon Stealer: Detection, Remediation, and Prevention Strategies

The developers behind the notorious Raccoon Stealer malware have reemerged after a six-month absence from hacker forums, promoting an updated 2.3.0 version of their malware to cybercriminals. Since its introduction in 2019, Raccoon has become one of the most prominent and prolific information-stealing malware families, sold through a subscription model at $200 per month to threat actors.

Raccoon Stealer is capable of extracting data from over 60 applications, including user login credentials, credit card details, browsing history, cookies, and cryptocurrency wallet accounts. In October 2022, the project faced a significant setback when Mark Sokolovsky, the primary developer of the malware, was arrested in the Netherlands, and the FBI dismantled the malware’s service infrastructure.

The Return of Raccoon
In a recent post, first identified by VX-Underground, the current authors of the malware notified the cybercriminal community of their return, revealing that they have been “working tirelessly” to develop new features intended to enhance the user experience of their malicious clientele. These updates were informed by user feedback, specific requests, and prevailing cybercrime trends—with the goal of maintaining Raccoon’s standing in the top echelon of information stealers.

According to a numerous reports, Raccoon 2.3.0 has incorporated several significant user-friendly and operational security enhancements. These improvements are designed to simplify the malware’s use for less technically savvy threat actors and to make tracing by researchers and law enforcement more challenging.


Announcement of Raccoon v2.3.0 on hacker forums
Source: Cyberint

The Ongoing Threat
Information-stealing malware like Raccoon poses a significant and extensive threat to both individual users and businesses. Its pervasive use by cybercriminals ensures that malicious payloads are delivered through numerous channels, targeting a vast and diverse audience. Moreover, since this malware can also steal session cookies, it may enable threat actors to bypass multi-factor authentication safeguards, thereby breaching corporate networks. Once inside, attackers can deploy various offensive strategies, including data theft, ransomware attacks, BEC scams, and cyber-espionage tactics.

The Ongoing Threat and New Features

Quick Search for Cookies and Passes:
The updated Raccoon admin panel introduces an innovative way to search for URLs. This improvement enables threat actors to swiftly find specific links in large datasets, even when dealing with millions of documents and thousands of disparate links—a notable enhancement in efficiency and convenience for users of this malware.


Raccoon Stealer Quick Search Module
Source: Cyberint

Automatic Bot Blocking and Panel Display:
Raccoon now includes a system designed to detect anomalous activity patterns, such as repeated accesses from the same IP address or range. Upon detecting such activity, this system automatically deletes the associated records and updates the client pads, thereby thwarting security tools relying on automation and bots for malware detection.

Raccoon Stealer Dashboard with Bot Blocking and Panel Display
Source: Cyberint

Legend: Green Smiley = Activity of the IP is normal. Red Smiley = High probability that bots or other automated systems created or actively used the log.

Reporting System:
This new feature blocks IP addresses typically used by security practitioners’ crawlers and bots to monitor Raccoon’s network traffic.

Racoon Stealer Reporting System per IP Address
Source: Cyberint

Log Statistics:
This feature enables threat actors to review detailed statistics about their activities, including a geographic breakdown of compromised systems, reminiscent of functionalities in earlier versions of the malware.

Raccoon Stealer Behavior and Capabilities
Raccoon targets a comprehensive range of applications, employing specialized techniques to extract and harvest data. Raccoon’s modus operandi for data extraction from targeted applications generally involves the following steps:

  • Extract the file from the targeted application that contains sensitive data.
  • Copy this file to a designated folder (usually %Temp%).
  • Generate a text file within the targeted application’s directory, which contains the stolen data.
  • To decrypt credentials from applications, Raccoon retrieves and downloads the necessary DLLs associated with these applications.

Based on Proficio’s research, as of 08/15/2023, there are 9,515,216 Raccoon stealer findings listed throughout the dark, deep and surface internet.

Sample Raccoon Malware Logs:

Source: Proficio Cyber Exposure Monitoring Platform

Targeted Applications Include

Browsers:
Google Chrome, Comodo Dragon, Amigo, Orbitum, Bromium, Nichrome, RockMelt, 360Browser, Vivaldi, Opera, Sputnik, Kometa, Uran, QIP Surf, Epic Privacy, CocCoc, CentBrowser, 7Star, Elements, TorBro, Suhba, Safer Browser, Mustang, Superbird, Chedot, Torch, Internet Explorer, Microsoft Edge, Firefox, WaterFox, SeaMonkey, PaleMoon

Email Clients:
ThunderBird, Outlook, Foxmail

Cryptocurrency Wallets:
Electrum, Ethereum, Exodus, Jaxx, Monero, Bither

Detection Steps:

  • Monitor System Behavior: Regularly check for unusual system behavior, such as unexpected data flows or high CPU usage when no major tasks are running, which may indicate malware activity.
  • Antivirus Scans: Conduct frequent and thorough scans using updated antivirus software that can detect known variants of Raccoon and similar malware.
  • Check for Unusual Network Traffic: Continuously monitor network traffic for uncommon data exfiltration attempts or communication with known malicious IP addresses.
  • Inspect System Logs: Review system and security logs for irregularities or signs of intrusion.

Remediation Steps:

  • Isolate Infected Systems: Immediately quarantine affected systems from the network to prevent the malware from spreading.
  • Remove Malware: Use reputable antivirus or antimalware tools to clean the infected systems.
  • Change All Passwords: After removing the malware, change all passwords, starting with the most sensitive accounts.
  • Update Software: Ensure that all systems are running the latest versions of operating systems and applications, which include security patches.
  • Enable Multi-Factor Authentication (MFA): To add an extra layer of security, enable MFA on all possible accounts.
  • Review Permissions and Access: Conduct a comprehensive audit of user permissions and restrict privileges to the minimum necessary for each role.

Defensive Measures:

  • Use Password Managers: Employ password managers as opposed to saving credentials within browsers.
  • Enable Multi-Factor Authentication: Activate MFA across all accounts as a robust preventative measure.
  • Exercise Caution with Downloads: Avoid downloading executable files from questionable websites, even when directed to these sites from seemingly trustworthy platforms like Google Ads, YouTube videos, or Facebook posts.
  • Regular Updates and Patch Management: Keep operating systems and all software up to date with the latest security patches.
  • Educate Employees and Users: Regularly educate and train staff or users about the risks of phishing scams and how to recognize potential malware lures.

Note:
These measures are not exhaustive but represent essential steps in detecting, remediating, and defending against threats like the Raccoon Stealer malware.

Article References:
https://twitter.com/vxunderground/status/1691175828607111171
https://cyberint.com/blog/financial-services/raccoon-stealer/
https://www.bleepingcomputer.com/news/security/raccoon-stealer-malware-returns-with-new-stealthier-version/
https://www.bleepingcomputer.com/news/security/ukrainian-charged-for-operating-raccoon-stealer-malware-service/

Method: FakeSpy – Android Trojan targeting Japanese and Korean Speaking Users

On June 19th, TrendMicro released technical analysis on FakeSpy malware targeting Korean and Japanese mobile users. FakeSpy has been observed sending mobile text messages with a malicious link message that prompts a malicious Android application package. This application masquerades itself as an app for local consumer financial service companies to Korean users. For Japanese users, it pretends to be an application for transportation, logistics, courier and e-commerce companies. This application is known to monitor for text messages and send these messages back to a C&C server. It has also been observed adding contacts to the devices, resetting the device, setting it to mute, updating configurations and stealing device information.

FakeSpy has also been known to check for banking related applications and replace it with counterfeit versions. These applications will then phish for user’s credentials by informing the users that their application needs to be updated and asks them to input their key. FakeSpy hides and updates their C2 server by making use of social media. The application will access the Twitter Page that the handler maintains and parse its content to retrieve the C2 IP address.

The Proficio Threat Intelligence Recommendations:

  • Considering that FakeSpy is distributed via phishing messages, users can avoid being a victim by practicing good security habits including checking for grammatical errors and avoiding unsolicited messages that contain URL links.

Technical Analysis of Malware – Click Here

METHOD – RANCOR Malware: Southeast Asia

A new malware campaign was observed this month, which appears to be politically driven and targets organizations operating in southeast Asia. The malware was dubbed “RANCOR” by Palo Alto researchers and falls under the Trojan malware classification. Additionally, the malware appears to make use of code from two malware families: DDKONG and PLAINTEE.

The malware has been observed in at least three cases, in which high profile individuals were targeted in spear phishing emails. The email contained malicious attachments in the form of .hta, .xlxs, and .dll file types. When opened, these attachments open decoy PDFs or web pages that claim to be related to political parties from the given country. However, these attachments would also execute scripts in the background in order to complete their installation on the host system.

While this behavior might seem easy to detect at first glance, the closer look reveals the malware writers took several steps to evade detection. Researchers noted that the malicious scripts were typically hidden in the metadata of the files and executed when certain conditions were met. Additionally, in the case of web pages opening, the websites of legitimate government
organizations and Facebook were compromised in order to bypass security.

Though current findings show only Cambodia and Singapore have been targeted thus far in the RANCOR campaign, a number of other countries located in Asia Pacific could be targeted as well and it is recommended to update security controls to detect the IOCs associated with this attack. One tell tale sign of some RANCOR variants is the rare use of a custom UDP protocol. This protocol may be detected by some heuristic IDPS devices searching for file type PE32 executable (DLL) (GUI) Intel 80386 for MS Windows and corresponding to the SHA256 hash below.

IDPS devices can be updated to trigger on the following additional signatures that have been observed:

  • Domain: www.facebook-apps.com
  • IPv4: 89.46.222.97
  • SHA256: 0bb20a9570a9b1e3a72203951268ffe83af6dcae7342a790fe195a2ef109d855
  • SHA256: c35609822e6239934606a99cb3dbc925f4768f0b0654d6a2adc35eca473c505d

The Proficio Threat Intelligence Recommendations:

  • Ensure security devices are updated to latest stable firmware.
  • Monitor for IOCs related to file type PE32 executable (DLL) (GUI) Intel 80386 for MS Windows.
  • Change the default handler for “.hta” files in your enterprise environment so that they cannot be directly executed.

Source of Analysis – Click Here

Method – MirageFox Malware

On June 18th, malware researcher, Jay Rosenberg released some interesting findings on a binary that was analyzed by the company Intezer. The code was retrieved through VirusTotal hunting. VirusTotal is a tool used by the global cybersecurity community that allows users to upload suspicious executables to an engine to check if antivirus vendors detect anything bad about the file. The Intezer analysis revealed that the binary shared code with a remote access tool (RAT) was very similar to the code that had been mentioned in the 2017 campaign documented by NCC Group where the hacker group APT 15 had hacked entities within the UK Government.

This indicates that the group APT 15 had built a variation of their RoyalAPT malware mentioned by the NCC Group. This malware could’ve then potentially been used to perform a separate attack perhaps on an additional entity. During the article, the author states “Coincidentally, following the recent hack of a US Navy contractor and theft of highly sensitive data on submarine warfare, we have found evidence of very recent activity by a group referred to as APT15, known for committing cyber espionage which is believed to be affiliated with the Chinese government.” This infers that the author believes the MirageFox and US Navy Contractor hack are tied together. As a result, we have seen additional sources claiming that APT 15 was likely behind the US Navy hack of Operation Sea Dragon. We’d like to point out that the findings of the malware author do not prove this and this is only based on speculation at this time.

Some very interesting findings in the report are the command and control used within the binary. The IP address of the call home was 192.168.0.107. This is an internal IP address used within internal networks. This indicates that the command and control server was on the inside of the network, possibly on a VPN. This is a very abnormal configuration from the attacker and will throw off several types of perimeter security controls without special configuration.

The Proficio Threat Intelligence Recommendations:

  • Block hashes of IOCs on the corporate endpoint solution if possible. The researcher stated the binaries at the time of research had a low antivirus detection rate.
  • Note the internal command and control server and think about this type of attack when configuring perimeter IDPS technologies that look for outbound traffic as a means of command and control.
  • Potentially treat your internal VPN network ranges as an external network when configuring your IDPS controls. The organization will have to validate this will not result in false positive IDPS triggers.

Source of analysis – Click Here

Method: Hidden Cobra TYPEFRAME Malware Activity

On June 14th, US-CERT released a Malware Analysis Report (AR18-165A) that details a set of malware, code-named TYPEFRAME, with the earliest observed sample dating back to 2015. This malware appears to have been leveraged by North Korea’s threat actor HIDDEN COBRA (aka Lazarus). The Trojan has the capability to download and install malware, proxies and remote access tools (RATs), connect to command and control servers and modify the victim’s host based firewall to allow incoming connections.

The multiple executables and malicious document referenced within the report shows that the Trojan TYPEFRAME seems to be quite modular in nature, with different installers appearing to install different malicious modules. In summary, the multiple executables detailed in the report can be summarized as the following:

  • F5A4235EF02F34D547F71AA5434D9BB4 / BFB41BC0C3856AA0A81A5256B7B8DA51 – The installer that sets the RAT as a service on the victim’s machine
  • 10B28DA8EEFAC62CE282154F273B3E34 – This file is an installer designed to set a proxy module as a service on the victim’s machine.
  • 00B0CFB59B088B247C97C8FED383C115 – This file also serves as a proxy module designed to open the Windows Firewall on the victim’s machine for the purpose of allowing incoming connections and force it to act as a proxy server. This module listens on port 8443.
  • BF474B8ACD55380B1169BB949D60E9E4 – This file is a RAT designed to install a proxy module as a service on the victim’s system.
  • 6AB301FC3296E1CEB140BF5D294894C5 – This malicious Word document contains a VBA macro to decode a PE binary and execute it.
  • EF9DB20AB0EEBF0B7C55AF4EC0B7BCED – This file is designed to connect to its remote C2 servers on port 443 and wait for instructions.
  • 1C53E7269FE9D84C6DF0A25BA59B822C – This file is a proxy module installed as a service and is designed to open the Windows Firewall on the victim’s machine for the purpose of allowing incoming connections and force it to act as a proxy server. Notably, this malware makes use of a fake TLS communication mechanism.

Given the nature of the tactics used by this particular threat actor and the details available in the advisory, the threat is prevented by most common security countermeasures such as an up-to-date corporate antivirus. The risk for most organizations is likely minimal.

The Proficio Threat Intelligence Recommendations

  • Add the seven IP IOCs (indicators of compromise) flagged by US-CERT in the MAR (malware analysis report) to a firewall blocklist / SIEM monitoring watchlist.
  • Make sure to maintain antivirus products are up-to-date as this malware appears to have good detection rates amongst antivirus vendors with the samples analyzed.
  • Disable File and Printer sharing services if not required for business needs.
  • Restrict users’ ability to install and run unwanted software applications.
  • Exercise caution when opening email attachments.
  • Enable personal, host-based firewalls on individual workstations to deny unsolicited connection requests.

Source of Analysis – Click Here

TARGET: Nuance Communications – Lost Revenue and PHI

Nuance Communications, a healthcare software company which specializes in speech and imaging, has had a run of bad luck with external and internal incidents in 2017.

Last year NotPetya malware cost the company $92 million in revenue, mainly from the disruption of transcription services and systems used by healthcare customers. Nuance quickly attempted to restore client functionality which took over a month for complete remediation and restoration. This attack constituted a security incident under the HIPPA Security Rule but not a breach of PHI under the BNR (Breach Notification Rules).

In December 2017, only months following the NotPetya incident, there was an unrelated data breach from a former Nuance employee involving the PHI of 45,000 individuals. The records included healthcare provider’s patient assessments, diagnoses, dates of service and care plans. The attacker  stole these records through an unauthorized access of a transcription platform.

Nuance stated that it continues to enhance its security protection to prevent further cyberattacks as these incidents have resulted in negative press and has lost potential revenue.

Proficio Threat Intelligence Recommendations:

  • Proper network segmentation to mitigate the spread of malware outbreaks
  • Implement and enforce access controls to prevent unauthorized access
  • Backup critical systems and store them off-network

 

General Info – Click Here

Attacker: Xenotime and Trisis ICS Attacks

Dragos, an information security consulting firm that specializes in industrial control system (ICS) security consulting, reported that the threat actor known as “Xenotime” has expanded its presence in compromising ICS systems beyond the Middle East. In late 2017, FireEye and Dragos reported a threat actor had released TRISIS malware that had targeted a Middle East oil company. The attack resulted in a complete shutdown of the oil and gas facility. Forensics revealed that malware had targeted the safety instrumentation system (SIS) component of a Schneider Electric’s Triconex system that was present within the facility.

Safety instrumentation systems are responsible for taking action on critical situations within industrial control systems. They could be responsible for opening and closing valves or other types of safety systems. Failure of an SIS may result in loss of life or the disruption in the functionality of a facility. This threat actor is suspected to be state sponsored and was attempting to engineer an attack that could be used to cause physical damage in the event of a political conflict. The new revelation from Dragos indicates that the same party that was targeting the Middle East company has now expanded its presence to multiple regions around the world by targeting multiple types of ICS environments. This is very alarming issue since this threat actor is actively attempting intrusions with the intent to cause physical damage to ICS systems that may result in a loss of life or major disruption of critical industrial facilities.

Proficio Threat Intelligence Recommendations:

  • Validate an ICS monitoring solution is in place.
  • Develop special focused monitoring use cases around assets within ICS networks.
  • Monitor for vulnerability advisories from your ICS vendors.

General Info – Click Here

Method: VPNFilter Malware responsible for botnet army of 500,000 devices

Researchers from Cisco Talos with the help of numerous threat intelligence partners, have identified at least 500,000 devices worldwide that have been infected with VPNFilter malware. Large segments of the malware’s code were repurposed from the notorious BlackEnergy malware, which was responsible for massive DDoS attacks targeting Ukrainian infrastructure resulting in widespread power outages.

The majority of known infected hosts are from small office or home network devices which usually act as the perimeter network device with little to no defense in depth.  Many of these devices have publicly known exploits or default credentials that make compromising a device of this type trivial when best practices are not followed.

Known Affected Network Devices:

  • Linksys
  • MikroTik
  • NETGEAR
  • TP-Link
  • QNAP NAS

The capabilities of the VPNFilter are numerous, and  include unrestricted data collection from an affected device including banking credential theft, as well as the ability to execute a kill command to render the device unusable.  Another area of concern is the VPNFilter’s ability to monitor Modbus SCADA protocols, which are commonly used by industrial devices/applications like the BlackEnergy malware, which rendered many of Ukraine’s power substations inoperable.

Proficio Threat Intelligence Recommendations:

  • Users of SOHO routers and/or NAS devices ensure default credentials are changed and reset devices to factory defaults and reboot them in order to remove the non-persistent stage 2 and stage 3 malware.

 

General Info – Click Here

METHOD: HIDDEN COBRA Joanap and Brambul Malware Activity

US-CERT has released a technical advisory regarding a RAT (remote access tool) and an SMB (server message block) worm dubbed respectively Joanap and Brambul. Both claimed to be leveraged by the North Korea’s threat actor HIDDEN COBRA (aka Lazarous) since 2009. HIDDEN COBRA is an alias used to describe global hacking performed by a group tied with supporting the North Korean Government.

Based on the report findings, HIDDEN COBRA is responsible for using these two types of malware to target victims globally across multiple sectors. The worm appears to leverage relatively old and unsophisticated attack methods for spreading. Once infected, a system will attempt to brute force remote shares hosted over the SMB protocol using a set of about 150 common passwords such as “123456” and “cookie123” and “dbpassword.”

Analysis of the IoCs (indicators of compromise) provided in the article revealed that infrastructure primarily located in Latin American, the Middle East, and the Asia Pacific have been compromised with the malware. Command and control for the malware is somewhat unique, in that it gathers details and then attempts to send out emails to two known email addresses (misswang8107@gmail[.]com and redhat@gmail[.]com) with the compromised details of the host.

Luckily, most antivirus vendors have good detection rates for this type of malware since its older and well-known, and it attempts to spread using relatively simple passwords.  The risk for most corporate environments regarding this threat is relatively low.

Proficio Threat Intelligence Recommendations:

  • Deny SMB from the internet at perimeter firewalls
  • Enforce a password policy that does not allow weak passwords as a means to authenticate to SMB shares inside the LAN

General Info – Click Here

Method: RIG Exploit Kit – Grobios Malware

The use of exploit kits has generally been declining over the past two years, however FireEye has recently observed in March active development of the RIG EK capable of delivering a trojan named Grobios, a type of malware.  

Victims are first redirected to a compromised domain with an embedded malicious iframe which then redirects to the RIG EK landing page which loads a malicious Flash file. When the Flash file is executed, it drops the Grobios trojan onto the host and subsequently uses various techniques to evade detection and gain persistence.

The techniques used for evasion/persistence include masquerading as legitimate software and detecting VM & malware analysis tools. After detection evasion and persistence is achieved, network communication is established to hardcoded IPs point towards their respective C&C servers awaiting further instruction.  

Proficio Threat Intelligence Recommendations:

  • Ensure network nodes are fully patched to minimize attack surface

 

General Info – Click Here