A criminal group launched a multi-stage campaign earlier this year targeting e-commerce sites. The attack stole payment and user data using password-stealing malware. In February the group began using Vidar password stealer but then switched to Raccoon stealer to intercept passwords. The campaign started in February and ended in September, with the operators relying on specially crafted phishing pages and lure documents laced with malicious macros to download Raccoon information stealer malware onto victim systems. Raccoon is sold on dark web forums for about $200 a month and has 24×7 customer support through Telegram messenger for the criminals who lease it. Raccoon has a wide range of capabilities and communicates with a command-and-control (C2) server, also via Telegram messenger, to siphon off stolen data.
Analyst Notes
Protect against malware attacks by constructing a pre-incident preparation strategy that includes backup, asset management and the restriction of user privileges. Implement detection measures by deploying behavioral-anomaly-based detection technologies to identify attacks. To detect Raccoon info stealer in corporate IT environments, look for unusual outbound connections to Telegram servers from processes other than Telegram messenger—better yet, if Telegram is not approved software for enterprise workstations, detect any connection to Telegram servers as a security event and investigate to find any threats. Build post-incident response procedures by training staff and scheduling regular drills.
Sources: https://thehackernews.com/2020/12/payment-card-skimmer-group-using.html?&web_view=true
