The PolySwarm Blog

Analyze suspicious files and URLs, at scale, millions of times per day. Get real-time threat intel from a crowdsourced network of security experts and antivirus companies competing to protect you.

Fake Cracked Software Sites Delivering Stealers

Jan 24, 2023 11:02:41 AM / by PolySwarm Tech Team

FakeCrackedRelated Families: Raccoon, Vidar

Executive Summary

Sekoia recently reported on a campaign leveraging fake cracked software sites to deliver information stealers, including Raccoon and Vidar.

Key Takeaways

  • A campaign active since 2020 leveraged fake cracked software sites to deliver Vidar and Raccoon.
  • The infection chain uses SEO-poisoned websites and multiple redirects to eventually point the victim to the malicious payload hosted on GitHub.
  • Raccoon and Vidar are infostealers, allowing threat actors to steal multiple types of information, including login credentials, payment information, cryptocurrency wallets, and browser history.

The Campaign

Sekoia recently reported on a campaign leveraging fake cracked software to deliver information stealers, including Raccoon and Vidar. Researchers at Sekoia estimated activity leveraging the involved infrastructure has been ongoing since early 2020. The threat actors used over 250 domains and around 100 fake cracked software websites that ultimately led to a payload hosted on the file-sharing platform GitHub. The threat actors responsible for the infrastructure may be running a Traffic Distribution System.

The infection chain begins with SEO-poisoned websites advertising cracked software. The sites typically have information on the cracked software being advertised, along with a download link. When a user clicks the download button, a new window opens with a series of redirects, ultimately leading to a web page with download instructions, a shortened link, and a password. When users browse the link, they are redirected to an archive download hosted on GitHub. When the victim decompresses the archive and attempts to launch Setup.exe, the payload is delivered. Both Raccoon and Vidar infostealers were observed as final payloads.

What is Raccoon?

Raccoon infostealer, also known as Racealer or Mohazo, is a relatively unsophisticated malware as a service (MaaS) written in C/C++ and targeting Windows systems. It was first seen in the wild in late 2019. Raccoon is often used to steal login credentials, credit card information, cryptocurrency wallets, and browser information. In 2021, the threat actors behind Raccoon announced an additional module called Racoon Clipper in underground forums. Racoon Clipper is available as an add-on and targets Bitcoin, Dogecoin, Ethereum, Litecoin, and Monero cryptocurrency wallets.

What is Vidar?

Vidar, a variant of Arkei written in C++, is an infostealer that employs password grabbing. It has been active since late 2018. Vidar steals browser autofill information, cookies, saved payment information, browser history, coin wallets, and Telegram databases. It can also take screenshots. In late 2022, a new Vidar spin-off named RisePro was discovered.

IOCs

PolySwarm has multiple samples of Raccoon and Vidar.

Raccoon
:

2eff49471863d1d27df102dd4712c67687e76a309de89314e9cbfbb3a69aedbb

0d36b0ef26bbad4c6c0e7ad54cfbc4c54620ae0c75abdb1e81ce9680b3bb5dcd

e2727341a73bf1324e5fc78bb7513d1b48a51e5c0b9e70ada664d889e84d4cbe

318469d521d6bad34f35be1f5ebc254f5c54b2e7c07ab19ec7d2fccd04ebdafd

44bba3b778cc8b940a5707af0eb90f1727039a7fafd016d6aea725dbc3eafbe1

f770a06758360ec2181def9cb23a8254691f798a02dda813a09a2dd6caad818e

5b952bf985fd96067d53c27f6b7322b16da25f3e71e6a2bda1a6dcb51dd72c6c

b73552d4bc598b11f72051952d02e23d7d71f20f6f62be436d96b62058c8df5a

d78277798307b83a9a1c0d695abec585b290fe1fe69556f62e6bec7e1ba37e26

d9fb8866d5c2830688dea9c54836c05b71b9ea9b532aef18f4353927f28eef03


Vidar

1a3fc257581b51d9fdb30d6c9e708c47726352b3e8b75ece8e31ff1bb0d47be9

9a2232a4a9ceef2c3fcfee0acca71d5717395aff8abd1b6b26aa3a5c266b3fae

ba04acb31d2bef27b31bab6f5cf171012ed46090bc4949c1606a8535e1ea26c6

3458224c4b9276de9558b7f3810c3c3a0684af4173fccf6a7c0b4b7a848d5170

b44ef76e040991b1dbd2f40c9a4aebb8cb3288f1ef744b92ee8090acad6ff629

8211ffa22a40ceb40b8aaa8102064550624b4d3977a6232c2b9bfaae4fdb071a

cc78faac454ef399815fcec3c8f9dd4fbd0548fa747618ca6a58f0a6b787d32b

202958b751ac1521ae13e0baec5e3ebd9908758c19d79f05c1fd6f3407007618

363bc1e5872e24c7abf6ad2ff4d92aba0a348d541a000147d0d292592d955775

ecc995d54218cfe6d2c3d060e92911381db65b4083394d223a3b49f3fa90aa45


You can use the following CLI command to search for all Raccoon samples in our portal:

$ polyswarm link list -f Raccoon


You can use the following CLI command to search for all Vidar samples in our portal:

$ polyswarm link list -f Vidar


Don’t have a PolySwarm account? Go here to sign up for a free Community plan or to subscribe.

Contact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports


Topics: Threat Bulletin, Stealer, Infostealer, Racoon

PolySwarm Tech Team

Written by PolySwarm Tech Team

Subscribe to Email Updates

Lists by Topic

see all

Posts by Topic

See all

Recent Posts