New Malware Variant Can Steal Data from Browsers and Cryptocurrency Wallets

May 21, 2020

A Reason Labs research team has discovered a new variant of the Raccoon malware family. Initially discovered back in 2019, the Raccoon malware family is used to steal confidential data and browser information.

According to the Reason Security report, the new variant masquerades itself as legit, known program installers. The new malware sample flew under the AV radar, says the team, and there were only three minimal detections over two weeks ago. In this article, we analyze this new variant, its attack methods, and disguise techniques.

The Raccoon malware family is a Trojan that steals user data from about 60 browsers, as well as credentials from various cryptocurrency wallets and the trojan is capable of taking screenshots from the victim machine and capturing input, explains the team.

The first versions seen, ITW, were written in C++, but a year has gone by and the malware authors have since developed new versions written in Borland Delphi, apparently to make it harder to detect and analyze. The malware comes inside an Inno Setup installer that is responsible for installing both the original program and the malware.

The samples the Reason security team has imitate benign program installers (I.e. Bandicam, Revo Uninstaller) but hide a Trojan inside them, says the team. "The installation of the original programs (which are usually cracked versions of programs that have a paid version, so the user knows the installation is not from the original site) will proceed as usual, so the user will not suspect that something suspicious happened. The execution flow of the Trojan installation is very apparent, with alerting command lines and the execution of PowerShell and VBScript, which should have raised alarm bells in all of the security products. However, for some reason, the samples we caught had only three minimal detections on VirusTotal (and as of May 6th, 2020 even 0 detections!). The samples were uploaded to VT more than two weeks ago," says the report.

According to the report, the malware will disable Windows Defender using PowerShell, use VBS to unpack executables from a password protected zip file contained in the installer, and change the registry to disable the admin approval prompt.

The sophisticated network communication remains the same as it was in the first versions: web requests to Google docs (or GitHub) in order to acquire the malware’s CNC IP address, explains the security team, that way the address is not hardcoded in the sample.

For more information about its attacks methods and disguise techniques, visit https://blog.reasonsecurity.com/2020/05/21/undetect-me-if-you-can/

You must login or register in order to post a comment.

ON DEMAND: DevSecOps creates an environment of shared responsibility for security, where AppSec and development teams become more collaborative. With the right training and tools, developers can become more hands-on with security and, with that upskilling, stand out among their peers... however, they need the security specialists on-side, factoring them into securing code from the start and championing this mindset across the company.

The event will look at the in-car and off-board infrastructure cybersecurity policies, technologies, services, and products that will enable top OEMs and suppliers to strengthen their products’ defenses, mitigation, and resilience.

Security Magazine

2020 August

This month in Security magazine, we examine how physical security leaders are being propelled into a unique position of revenue preservers and risk managers for their businesses. In addition, we profile Scott Ashworth, Director of Security for Atlanta United. Also, security leaders discuss how to develop cybersecurity careers, election security, data protection strategies, measuring and reporting security operations maturity and more!

View More Create Account

New Malware Variant Can Steal Data from Browsers and Cryptocurrency Wallets

Related Articles

Related Events

Report Abusive Comment