Trojan.Win32.Racealer

General Explanation

Type: Trojan

Degree of destruction: high

Prevalence: average

What is a Trojan?

Trojans are malware that revealed themselves in the format of an applicable and useful tool. Accordingly, the user downloads and installs them and infects the system without noticing that it is malware. Trojans, usually after installation, act as a backdoor so the hacker can remotely access the victim’s system. For instance, the malware we will analyze here seems to do an applicable and useful job, but it will install an unwanted application on the system.

What is Racealer malware?

Racealer or Raccoon stealer is malware that aims to steal information such as crypto-currency wallet on the system, browser data, and email will attempt to infect the victim’s system.

Technical Explanation

Signs of infection

  • Download an empty file from google.drive:

hxxps://drive[.]google[.]com/uc?export=download&id=…

  • Then it will connect with the command and control server and sends the request to the server-related IP in the following path with HTTP post protocol:

hxxp://C&C_IP/gate/log.php

  • Also, sending requests to gate/libs.zip and gate/sqlite3.dl for receiving necessary files for extracting information.
  • If the previous steps were not successful, it will send a request to the previous IP in the HTTP post:

hxxp://C&C_IP/file_handler/file.php

Introduction of the function:

The goal of this malware is to steal information from the system and it’s not looking for permanence on the system; as a result, it will not stay in the system and has no considerable impact. Stolen information by this malware is stored information in browsers, clients’ emails, and crypto-currency wallets. This malware uses Google services such as google drive to connect with the command and control server and find its IP. First, a part of its header will find its command and control server IP, by sending a request to a link in google drive and decrypting it, which usually, this server is behind google services. For hiding and not being detected, it will immediately change these links and IPs for being different for every attack. Then it will send general information about victims such as botID and system information to the attained IP in the gate/log.php path. Then it will receive the necessary files to extract information from the system such as browsers, by connecting to gate/sqlite3.dll and gate/libs.zip addresses. In the end, it will send the stolen information to hxxp://C&C_IP/file_handler/file.php. Usually, the distribution method of this malware is post-exploitation type, for instance, attackers run this malware in the victim’s system by using exploit kits and existent vulnerabilities in browsers. Additionally, in some cases, they will distribute malware by phishing or social engineering.

Stolen information by Racealer malware:

  • The stored information in all browsers such as account names and stored passwords.
  • Crypto-currency wallet data
  • Client’s emails data such as Thunderbird and Outlook

How to deal with it and disinfect the system

To make sure that the system is safe, install Padvish antivirus and keep its database file and scan it. Padvish IPS are often detected system OS vulnerabilities and secures them against this kind of attack. To prevent this kind of malware to enter the system, it is recommended to avoid clicking on suspicious links or scan the attached files of your email with an anti-virus. Also, always keep your OS, anti-virus, and browsers up to date, and stop using Internet Explorer and especially older versions, if possible, because these browsers have many vulnerabilities.

  0 people found this article useful

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>