Attackers have been using a large and resilient infrastructure to distribute two prominent info-stealers—Raccoon and Vidar—possibly since early 2020, revealed security experts. Most of the infection chains are leveraging search engines to display SEO-poisoned fake websites.
Attack infrastructure and tactics
According to SEKOIA researchers, this infrastructure lures victims with hundreds of SEO-poisoned websites advertising fake cracked software with legitimate information.
These websites contain dozens of URLs redirecting to other pages of this website, as well as to legitimate websites or other platforms.
Several download buttons are displayed on the webpage. Upon clicking any of these, the victim is redirected to another webpage.
The final webpage appears with instructions, a not clickable Cutt.ly shortened link, and a password. Browsing this link redirects the victim to the download page of an archive, hosted on the legitimate file-sharing platform GitHub.
Experts further disclosed that the redirection chain utilizes multiple URLs to harden the analysis, avoid detection, and make the infrastructure stealthy.
Malware distribution
The SEO poisoning tactic redirects victims to several links before downloading the final payload hosted on file share platforms, including GitHub.
Researchers found the majority of the payload samples hosted on GitHub belong to Raccoon and Vidar.
Both info-stealers are equipped to siphon a wide range of personal information from compromised machines, harvest credentials from web browsers, and steal data from various cryptocurrency wallets.
It is suspected that this attack infrastructure runs a Traffic Distribution System (TDS) that allows operators to distribute stealer builds. Other cybercriminals can rent this infrastructure too to distribute their malware.
Defense evasion techniques
Experts found that the intrusion sets are implementing defense evasion techniques to increase the chances of successfully compromising a target system, making detection arduous.
Attackers used a dozen accounts to store the malicious payloads on GitHub. All the payloads are compressed in password-protected RAR archives.
The payloads avoid being executed in virtual environments, such as sandboxes or virtual machines, and complexify static analysis.
Additionally, the executables are padded with bogus zero-bytes to reach a large size (more than 400MB), a size that is not accepted by most analysis tools.
Wrapping up
Vidar and Raccoon are sold as a MaaS and the use of TDS in the latest campaign highlights that the intrusion set will surely continue to leverage it in the near future to distribute the malicious payloads. This campaign also highlights the potential risks of downloading cracked software. Thus, users are advised to refrain from downloading pirated software from third-party sites even listed on Google, and enforce MFA wherever possible to strengthen accounts.