Raccoon malware comes with fairly basic info stealer functions like RedLine and by itself lacks any kind of antivirus protection. There are also no functions that would complicate the analysis of the malware. However, Raccoon developers do suggest using a third-party crypter.
When it comes to the core functionality this virus depending on the configuration enabled by an attacker, can check system settings, capture screenshots, collect basic information like OS version, IP and username and steal passwords and logins from a variety of browsers. On top of that, the stealer can retrieve information from Microsoft Outlook as well as steal cryptocurrency wallets.
cam stealer v.6.rar
Since Raccoon malware is a pretty standard example of a stealer-type malware, its execution process does not exactly stand out. In our analysis case, after the malware made its way into the infected system (does not matter which delivery method it would use) it downloaded additional modules from the Internet. These modules are mostly DLL dependencies which Raccoon requires to work correctly. After that, the malware began stealing information from browsers and the system and stored stolen data in an archive file. The file, in turn, was sent to the C2 server. Probably the same C&C server it was built in. Note that some versions of the Raccoon malware delete themselves after execution while others don't.
The list of wallets targeted by RedLine stealer includes Armory, AtomicWallet, BitcoinCore, Bytecoin, DashCore, Electrum, Ethereum, LitecoinCore, Monero, Exodus, Zcash, and Jaxx. Targeted VPN clients are ProtonVPN, OpenVPN, and NordVPN.
Update 3 November 2020 - It is known that cyber criminals now use fake Inno Setup installers for TeamViewer to distribute RedLine stealer. Those installers are designed to execute the "wmiprvse.exe" file, which loads the malicious "msi.dll" that contacts the malicious URL that hosts the RedLine password stealer malware.
Update 9 November 2021 - Now RedLine stealer poses as LastPass, a legitimate password manager. There is a fake LastPass download page used to distribute an ISO file containing a file that starts the infection chain leading to the injection of the RedLine stealer.
The latest RedLine stealer version now has additional capabilities. It collects more general information (like Zip code, time zone, city, installed hardware), scans the system for running processes, installed browsers, FTP connections, and other data. Also, it checks for Discord, VPN, Steam, Telegram, and other clients, crypto wallets.
Update 16 March 2022 - Threat actors are using YouTube to distribute RedLine stealer. They upload Valorant game videos with a website link in their description. That link supposedly downloads an auto-aiming bot. In reality, it downloads a malicious archive file containing a malicious executable file designed to infect computers with the RedLine stealer. 2ff7e9595c
Comments