Payment Card Skimming Group Deployed Raccoon InfostealerResearchers: Fraudsters Hit E-Commerce Sites For Payment Credential Theft
The e-commerce websites were targeted by the fraudsters between February and September in four separate campaigns, which delivered the Raccoon infostealer using several tactics, the report notes. The attacks, however, mainly relied on phishing emails with malicious documents to spread the malware.
In addition to Raccoon, the report notes, attackers also used another infostealer malware variant called Vidar along with the Ave Maria remote access Trojan, or RAT, to infect the victims.
"Raccoon Stealer collects system information, account data, bank card data and autofill form details from browsers and valid crypto wallets," Group-IB researcher Nikita Rostovcev notes in the report released Monday. "Group-IB experts concluded that the purpose of the campaign in question was to steal payment and user data."
It is unclear how many victims were targeted using these tactics. In the one campaign during September, the fraudsters targeted more than 20 online sites with malware, according to the report.
In the latest campaign tied to FakeSecurity, the fraudsters deployed the Vidar password stealer in the first two waves of the attack but, the Group-IB researchers note, the attackers switched to the Raccoon stealer and the Ave Maria RAT for the second wave, which ran from July to September.
The malware was delivered through phishing pages created using Mephistopheles phishing kit - an online platform used by cybercriminals to buy fake web page templates for delivering payloads. The attackers also delivered the malware as malicious Microsoft Excel documents. If enabled, these malicious documents installed the malware on the victims' devices, according to the report.
In one of the attacks using Mephistopheles kit, the hackers spread the payload as an Adobe Reader plug-in update on a phishing page that they created, the report notes.
"The documents-cloud-server[.]co.za domain contains a web fake imitating an Adobe Reader plugin update page," Rostovcev notes in the report. "To continue viewing the document, the user is asked to download a plugin. By clicking on 'Download plugin,' the user activates a malware download."
In addition to malicious documents and phishing kit, the report notes the attackers also used the instant messaging platform Telegram to deliver Raccoon, as it helped the attackers encrypt the IP addresses connecting to the malware's command-and-control servers, thus helping them to bypass blocking of its servers.
Raccoon is a custom malware that was first spotted for sale in Russian underground forums in April 2019. It can be rented for $75 per week or $200 per month, according to the report.
In February, a report by security firm CyberArk found that Raccoon has added new capabilities, giving it the ability to steal data from more than 60 applications (see: 'Raccoon' Infostealer Now Targeting 60 Apps: Report ).
Another report, by security firm Cybereason, noted that Raccoon also allows cybercriminals to exfiltrate data from a wide range of cryptocurrency wallets, including electrum, ethereum, exodus and jaxx. And the infostealer can now target various email clients, such as Thunderbird, Outlook and Foxmail.