Bitdefender experts have prepared an analysis of Raccoon Password Stealer. The most amazing thing is that if Russian or Ukrainian is set as the local user language, the malware does not start in the system.
Hackers use the RIG Exploit Kit to spread various malware via browser exploits, in particular via vulnerable versions of Internet Explorer 11. Since the beginning of this year, the backers of new attacks have been spreading Raccoon-Stealer malware, which, among other things, uses Chrome- and Mozilla-based access data Applications, access data for mail accounts, credit card information and information on crypto wallets in browser extensions and from a hard drive.
Raccoon password stealer in focus since 2019
Security experts first observed the password stealer Raccoon in April 2019. Zerofox, Cyberint and Avast have already described older variants of the malware, some of which were available as Malware-as-a-Service on underground forums, some for $200 a month rent.
The RIG Exploit Kit currently being analyzed by Bitdefender experts exploits the CVE-2021-26411 vulnerability. Once deployed, the malware attacks various applications to steal passwords and other information. In Chrome-based browsers, it looks for the sensitive data in the SQLite databases. Using the legitimate sqlite3.dll library, the attackers sniff out login information, browser cookies and history, and credit card information.
Spying of access data
The malware queries all required libraries from Mozilla-based applications in order to decrypt and extract sensitive information from the SQLite databases. In addition, the attackers are looking for common applications for cryptocurrencies such as wallets and their default locations (such as Exodus, Monero, Jaxx or Binance). At the same time, the malware searches for all wallet.dat files. The cyber criminals collect login data from e-mail users (also from Microsoft Outlook) or data from password managers.
No execution of the malware code for Russian and Ukrainian user languages
In their analysis, Bitdefender Labs experts describe how the RIG Exploit Kit exploits the vulnerability and starts executing the code. The malware sample is wrapped in multiple layers of encryption for better stealth and to make reverse engineering more difficult. Before executing, the Raccoon Stealer identifies the original local user language: if it is Russian, Ukrainian, Belarusian, Kazakh, Kyrgyz, Armenian, Tajik or Uzbek, the malware will not run. The analysis also describes the initial communication with the command and control (C&C) server.
More than PDF at Bitdefender.com
About Bitdefender Bitdefender is a leading global provider of cybersecurity solutions and antivirus software, protecting over 500 million systems in more than 150 countries. Since it was founded in 2001, the company's innovations have consistently ensured excellent security products and intelligent protection for devices, networks and cloud services for private customers and companies. As the supplier of choice, Bitdefender technology is found in 38 percent of security solutions deployed around the world and is trusted and recognized by industry experts, manufacturers and customers alike. www.bitdefender.de