Raccoon Stealer Abuses Telegram

Racoon Stealer was first found in 2019 on underground hacking forums. It became one of the cheapest data stealing software by 2020. Several updates were provided for the software after its initial release. The malware is capable of stealing various data like

  • Browser cookies
  • Saved logins
  • Forms data saved on browsers
  • Login credentials from email client
  • Crypto wallet files
  • Browser plugin data and extensions
  • Modify arbitrary files and execute commands from C&C servers

Distribution Methods

The malware was distributed via several methods like Buer Loader and GCleaner. Some of the methods of distribution included fake patches, cracks or cheats for Fortnite, Valorant and NBA2K22. Samples of some fake softwares were also found with the Racoon Stealer malware. 

As Racoon Stealer was readily available for all, the distribution of the malware had no limits. The malware is spread with malware packers or Themida. 

Technical Details

The Source code of Racoon Stealer is written in C/C++ and built with Visual Studio with a size of 580 kb to 600 kb. Anyway, quality of the source code is below average since some of the strings are encrypted and some are not encrypted.

Once Racoon infects a system, it first checks for the user locale. This is because the malware is coded in such a way that it will not execute if the user locale is set to one of the following.

  • Belarusian (be / bel)
  • Ukrainian (uk / ukr)
  • Russian (ru / rus)
  • Kazakh (kk / kaz)
  • Kyrgyz (ky / kỉr)
  • Armenian (hy / hye)
  • Tajik (tg / tgk)
  • Uzbek (uz / uzb)

C&C Communications

Racoon Stealer malware has an interesting communication with C&C server. The Racoon source code has four crucial values for its command and control communications.

  • MAIN_KEY – Four updates were given for this value
  • URLs – Linked with Telegram channel name. It is ensured not to store any credentials inside the samples.
  • BotID – This is a Hexadecimal string which is sent to C&C every time
  • TELEGRAM_KEY – This value is a key to decrypt the C&C address which is obtained from the Telegram gate.

A full detailed analysis of this Racoon Stealer was published by Avast which consisted of the entire malware spread and distribution all around the world. Avast also claimed that they found two usernames who are suspected to be part of the group that spread the malware.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity and hacking news updates.

Gurubaran is a Security Consultant, Security Editor & Co-Founder of Cyber Security News & GBHackers On Security.