The RecordBreaker info-stealer, also referred to as Raccoon Stealer V2, has been observed in a new attack campaign targeting Korean users. The malware, which is often distributed disguised as the download of illegal programs such as cracks and keygens, was hidden this time inside fake certificates from a Korean software company.
Researchers at ASEC came across the new campaign while investigating different fake versions of information and certificates imitating famous software.
More in detail
Researchers discovered six samples of fake certificates and information from the company between April 27 and May 1.
These samples were distributed in the form of ‘PassKey_55551-CompleteFileT1.rar’ file by a website.
This compressed file included a ‘Read.me.txt file along with a password-protected file, ‘FullSetup.rar’, which caused the download of the malware.
Once RecordBreaker Stealer is executed, sensitive information saved on the users’ PC is collected and sent to a C2 server controlled by attackers.
During the mentioned period, the C2 server installs the ClipBanker malware on the infected system.
It can replace the cryptocurrency wallet address in the clipboard with that of the threat actor.
While the malware itself has a small actual size, criminals have inflated it by inserting extraneous data.
Previous distribution cases
RecordBreaker Stealer came into the spotlight in June 2022 after the Raccoon Stealer operators were forced to shut down their operation, following the death of a lead developer in the Russia-Ukraine war. Since then, the malware has been spotted in different instances in the past.
In two incidents, hacked YouTube accounts were leveraged to distribute the malware. These hacked YouTube channels were compromised to lure users with fake links pretending to be cracks, serial keygens, and installers of commercial software.
Conclusion
Caution is advised to online users as threat actors are attempting various methods to deceive users. Do not download pirated or cracked software from unverified sites. Double-check the legitimacy of the website before downloading the software. It is also recommended to keep your devices secured using a reputed antivirus and internet security software package.