Raccoon Stealer
Raccoon Stealer is an information stealer malware family active since at least 2019 as a malware-as-a-service offering sold in underground forums. Raccoon Stealer has experienced two periods of activity across two variants, from 2019 to March 2022, then resurfacing in a revised version in June 2022.[1][2]
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1213 | 从信息存储库获取数据 |
Raccoon Stealer gathers information from repositories associated with cryptocurrency wallets and the Telegram messaging service.[3] |
|
| Enterprise | T1555 | .003 | 从密码存储中获取凭证: Credentials from Web Browsers |
Raccoon Stealer collects passwords, cookies, and autocomplete information from various popular web browsers.[3] |
| Enterprise | T1005 | 从本地系统获取数据 |
Raccoon Stealer collects data from victim machines based on configuration information received from command and control nodes.[1][3] |
|
| Enterprise | T1195 | 供应链破坏 |
Raccoon Stealer has been distributed through cracked software downloads.[1] |
|
| Enterprise | T1140 | 反混淆/解码文件或信息 |
Raccoon Stealer uses RC4-encrypted, base64-encoded strings to obfuscate functionality and command and control servers.[1][2] |
|
| Enterprise | T1113 | 屏幕捕获 |
Raccoon Stealer can capture screenshots from victim systems.[1][3] |
|
| Enterprise | T1071 | .001 | 应用层协议: Web Protocols |
Raccoon Stealer uses HTTP, and particularly HTTP POST requests, for command and control actions.[1][2][3] |
| Enterprise | T1560 | 归档收集数据 |
Raccoon Stealer archives collected system information in a text f ile, |
|
| Enterprise | T1083 | 文件和目录发现 |
Raccoon Stealer identifies target files and directories for collection based on a configuration file.[1][3] |
|
| Enterprise | T1012 | 查询注册表 |
Raccoon Stealer queries the Windows Registry to fingerprint the infected host via the |
|
| Enterprise | T1027 | .007 | 混淆文件或信息: Dynamic API Resolution |
Raccoon Stealer dynamically links key WinApi functions during execution.[2][3] |
| .013 | 混淆文件或信息: Encrypted/Encoded File |
Raccoon Stealer uses RC4 encryption for strings and command and control addresses to evade static detection.[1][2][3] |
||
| Enterprise | T1070 | .004 | 移除指标: File Deletion |
Raccoon Stealer can remove files related to use and installation.[2] |
| Enterprise | T1539 | 窃取Web会话Cookie |
Raccoon Stealer attempts to steal cookies and related information in browser history.[3] |
|
| Enterprise | T1614 | 系统位置发现 |
Raccoon Stealer collects the |
|
| Enterprise | T1082 | 系统信息发现 |
Raccoon Stealer gathers information on infected systems such as operating system, processor information, RAM, and display information.[1][3] |
|
| Enterprise | T1033 | 系统所有者/用户发现 |
Raccoon Stealer gathers information on the infected system owner and user.[1][2][3] |
|
| Enterprise | T1124 | 系统时间发现 |
Raccoon Stealer gathers victim machine timezone information.[1][3] |
|
| Enterprise | T1119 | 自动化收集 |
Raccoon Stealer collects files and directories from victim systems based on configuration data downloaded from command and control servers.[1][2][3] |
|
| Enterprise | T1020 | 自动化渗出 |
Raccoon Stealer will automatically collect and exfiltrate data identified in received configuration files from command and control nodes.[1][2][3] |
|
| Enterprise | T1087 | .001 | 账号发现: Local Account |
Raccoon Stealer checks the privileges of running processes to determine if the running user is equivalent to |
| Enterprise | T1518 | 软件发现 |
Raccoon Stealer is capable of identifying running software on victim machines.[2][3] |
|
| Enterprise | T1105 | 输入工具传输 |
Raccoon Stealer downloads various library files enabling interaction with various data stores and structures to facilitate follow-on information theft.[1][3] |
|
| Enterprise | T1041 | 通过C2信道渗出 |
Raccoon Stealer uses existing HTTP-based command and control channels for exfiltration.[1][2][3] |
|