Technical Insights > Network Visibility + Security

Raccoon Malware Kill Chain Added to BreakingPoint Attack Campaigns

2020-10-27  |  6 min read 

By Kang-Wei Chang  |  Keysight’s Application and Threat Intelligence (ATI) research team released a new type of cyber-attack campaign this month. BreakingPoint Attack Campaigns are a group of attacks called Strikes that, when executed in the correct sequence, represent part of a real-world attack kill chain. Read these blogs for more information on Attack Campaigns:

The latest StrikePack, or collection of Strikes, from BreakingPoint’s ATI team, labeled ATI-2020-18, includes a new attack campaign named: Raccoon September 2020 Campaign.

According to CyberARK, Raccoon malware has been used in attacks since 2019. Raccoon is designed to attack individual users and exfiltrate specific user information, including host, browser, and other sensitive information. To help our customers recognize and stop these attacks, we have increased our coverage by adding them to our threat intelligence library.

The campaign simulates the malicious network communication that is observed when the malware is retrieved, and call-backs to the command and control (C&C) once it has executed. It simulates the malicious behavior captured and observed by ATI researchers in the wild and includes 6 strikes as shown in the following image.

Raccoon1

Figure 1: Raccoon September 2020 campaign

The first strike, M20-s1q01, simulates the network-visible actions that occur if a user has clicked a malicious link and triggers the malware download. The strike performs an HTTP GET request, resulting in the download of the Raccoon malware over the transport protocol HTTP.

The second strike, B20-38801, simulates the network-visible actions that occur if a user has opened the malicious executable file. The victim issues an HTTPS GET request, and the attacker replies with an HTTP 200 OK Server Response and decryption key data as following.

Raccoon2

Figure 2: Decryption key retrieve

The third strike, B20-ufh01, simulates another network-visible action that occurs if a user has opened the malicious executable file. The victim issues an HTTP POST request containing Base64-encoded traffic that includes a bot_id, config_id, and other information shown in the figure below. The attacker replies with an HTTP 200 OK Server Response and the URL of the addition file need to download.

Raccoon3

Figure 3: POST request with bot_id and config_id

Raccoon4

Figure 4: Attacker reply with URL of the addition file to download

The fourth and fifth strike, M20-5sr01/M20-0pm01, simulate the network-visible actions that occur if a user has opened the malicious executable file. The strike performs an HTTP GET request, resulting in the download of the sqlite3.dll/libs.zip files over the transport protocol HTTP.

The sixth strike, B20-2e301, simulates the network-visible actions that occur if the additional sqlite3.dll and libs.zip files have been downloaded. The victim will issue an HTTP POST request containing a zipped text file that includes the hostname, username, and sensitive information like cookies and passwords. The attacker replies with an HTTP 200 OK Server Response.

The following image is the unzipped text file exfiltrated by the Raccoon malware. Here we can see detailed host information and credential files.

Raccoon5

Figure 5: Detail of the data that has been exfiltrated by the Raccoon malware

Summary

Malware can hide in many kinds of files including emails and documents. All it takes is a single click to allow malware infection, file encryption, or data exfiltration to compromise the targeted system. In this blog post, we described in detail what we observed from a September 2020 sample of the Raccoon malware. Once executed, sensitive information will be exfiltrated from the victim’s machine.

Beyond the technical details that were observed from this sample of Raccoon, there lies a much wider range of damaging effects to consider from a business standpoint. The potentially stolen property and sensitive information disclosure can lead to even further attacks from this malicious actor.

The ATI research team continually delivers valuable, timely content of this nature in every release. As these threats emerge, we will continue vigilance in researching the threat and re-creating how it operates so that our customers are better prepared to recognize it in the future.

Leverage Subscription Service to Stay Ahead of Attacks

Keysight's Application and Threat Intelligence (ATI) Subscription provides daily malware and bi-weekly updates of the latest application protocols and vulnerabilities for use with Ixia test platforms. The ATI Research Center continuously monitors threats as they appear in the wild. Customers of BreakingPoint have now access to attack campaigns for different advanced persistent threats, allowing them to test their currently deployed security controls’ ability to detect or block such attacks.