Raccoon Stealer Returns from Hiatus with Updated Version

Recent report indicates the return of the Raccoon infostealer malware after a six-month break.

On August 14, 2023, the threat actor managing Raccoon Stealer announced the return of the tool after a six-month break, as well as an updated version 2.3.0 with updates based on “feedback and analysis of customer requirements and market trends.”

Context

On August 15, 2023, researchers at Cyberint reported technical details of a resurgent campaign involving the Raccoon Stealer malware after a significant hiatus. Raccoon Stealer is a prominent tool sold as a service to threat actors to leverage in stealing victim credentials and cryptocurrency information.

Technical Details

Cyberint researchers outlined new features of the Raccoon Stealer malware version:

  • “Quick search for cookies and passes – The new Raccoon admin panel introduces a new way to search for URLs in the latest version.
  • Automatic bot blocking and panel display – A new system is now added to the infostealer to detect unusual activity patterns, such as multiple accesses from the same IP address or range.
  • Reporting System – This feature was added to block IP Addresses used by crawlers and bots often used by Security Practitioners to monitor Raccoon Traffic
  • Log Statistics – With this, any Threat Actor who purchases the Raccoon Stealer can see the top countries by the number of logs, as in the first versions of our stealer.”

Mitigation Options

Cyberint researchers provided the following defense recommendations:

  • “Develop and enforce a comprehensive security policy that outlines best practices for employees, including guidelines on password management, email usage, and software updates.
  • Provide regular security awareness training to employees to educate them about the risks of infostealer malware, phishing attacks, and safe online practices.
  • Implement robust endpoint security solutions, including advanced antivirus and anti-malware software, to detect and prevent infostealer infections on devices used within the organization.
  • Ensure that email security controls are applied to limit the delivery of potentially malicious attachments or links to end-users, as well as implementing protocols and security controls such as DKIM, DMARC and SPF.
  • Enforce using MFA for accessing sensitive systems and applications, adding an extra layer of security even if credentials are compromised.
  • Develop and regularly update an incident response plan that outlines the steps to take in case of an infostealer malware incident. This plan should include isolation, containment, eradication, and recovery procedures.
  • Conduct regular security audits and assessments to ensure that your security practices align with industry standards and regulation.
  • Those using cryptocurrencies should consider the use of hardware-based wallets and ensure that payment addresses are verified before submitting a transaction.”

IOCs

Cyberint researchers provided the following IOCs:

Indicator

Type

Notes

012e382049b88808e2d0b
26e016dc189f608deea9b6c
c993ce24a57c99dd93d1

SHA256

From May 2021

18c27b85f26566dd782171e
00ea5b5872546b23526cca
0ebb185caca35fdec93

SHA256

From May 2021

24499fbfd8a2b2663899841
f3cf424b60d60c26351b5d4
91fd475adf9e301256

SHA256

From May 2021

3c5120a6e894b64924dc44
f3cdc0da65f277b32870f73
019cefeacf492663c0e

SHA256

From May 2021

40175d0027919244b6b56f
e5276c44aba846d532501e
562da37831403c9ed44e

SHA256

From May 2021

624b7ae8befcf91dbf768d9
703147ac8f9bd46b08ffe14
a75c77e88736bf07d0

SHA256

From May 2021

75c3a83073d9b15d4f4730
8b5d688f1ec07422419e3b
d54e78f6ef8683d42e5c

SHA256

From May 2021

8815b21c44c22aec31f7fa6
e69dcb83a60c572f8365ff
02b5c6f12154e01a4c2

SHA256

From May 2021

97e95e99fd499ec45a7c1d
8683d5731ce5e7a8fb8b7
10622e578cd169a00d8d9

SHA256

From May 2021

a2420c7f0c7bf5d3c0893a
ff6b7440a09c053163243
4d2bbb6f8ed98b04317b9

SHA256

From May 2021

bfb37c9adc809e880f56dd
10898b5425242330d6e2f
a69e014a98e6dc18ce416

SHA256

From May 2021

caf3eca514de58e215b5e9f
568f748293be64a3c82e15c
2f905903cd9bfacc1c

SHA256

From May 2021

de7ccff53ca27db1ed1e3e0d
0df07f2e3364ec6b7e60622
dc7726cba56831eb7

SHA256

From May 2021

hxxps://telete[.]in/jiocacossa

URL

From May 2021

hxxps://tttttt[.]me/kokajakprozak

URL

From May 2021

hxxps://tttttt[.]me/antitantief3

URL

From May 2021

hxxps://telete[.]in/baudemars

URL

From May 2021

hxxps://telete[.]in/bpa1010100102

URL

From May 2021

hxxps://tttttt[.]me/brikitiki

URL

From May 2021

hxxps://tttttt[.]me/ch0koalpengold

URL

From May 2021

195[.]201[.]225[.]248

IP Address

Resolves to telete[.]in and related domains

95[.]216[.]186[.]40

IP Address

Resolves to tttttt[.]me and related domains

telete[.]in

Domain

Initial ‘call home’ to an unofficial Telegram service

telecut[.]in

Domain

Suspicious domain related to telete[.]in

tgraph[.]io

Domain

Suspicious domain related to telete[.]in

tttttt[.]me 

Domain

Initial ‘call home’ to an unofficial Telegram service

telegram[.]cat

Domain

Suspicious domain related to tttttt[.]me

telegram[.]services

Domain

Suspicious domain related to tttttt[.]me

tlgr[.]org

Domain

Suspicious domain related to tttttt[.]me

xn--r1a[.]click

Domain

(т[.]click) – Suspicious domain related to tttttt[.]me

xn--r1a[.]link

Domain

(т[.]link) – Suspicious domain related to tttttt[.]me

xn--r1a[.]live

Domain

(т[.]live) – Suspicious domain related to tttttt[.]me

xn--r1a[.]site

Domain

(т[.]site) – Suspicious domain related to tttttt[.]me

xn--r1a[.]website

Domain

(т[.]website) – Suspicious domain related to tttttt[.]me

 

More Recent Blog Posts

2024 RH-ISAC Cyber Intelligence Summit logo

Register for RH-ISAC Summit

Our biggest event of the year is coming up soon! Join RH-ISAC April 9-11 in Denver for our annual three-day conference featuring interactive, practitioner-led discussions, breakout sessions, and keynote presentations.