As cyber-criminals devise new ways to distribute malware, the credential-stealing trash panda is exploiting the Telegram chat app to store and update C2 addresses.
A credential stealer who originally gained popularity couple of years ago is now exploiting Telegram for command-and-control purposes (C2). According to researchers, a range of cybercriminals are continuing to broaden their attack surface by using novel distribution methods like this.
According to a blog post released by Avast Threat Labs this week, Raccoon Stealer, which first appeared on the scene in April 2019, has added the ability to store and update its own actual C2 addresses on Telegram’s infrastructure. The researchers said that this provides them with a “convenient and reliable” command centre on the platform that they can update on the fly.
The malware, which is believed to have been built and maintained by Russian-affiliated cybercriminals, is primarily a credential stealer, but it is also capable of a variety of other nefarious activities. Based on commands from its C2, it can steal not just passwords but also cookies, saved logins and forms data from browsers, login credentials from email clients and messengers, files from crypto wallet, data from browser plugins and extensions, and arbitrary files.
Avast Threat Labs researcher Vladimir Martyanov wrote in the post “In addition, it’s able to download and execute arbitrary files by command from its C2,”
“This, in combination with active development and promotion on underground forums, makes Raccoon Stealer “prevalent and dangerous,”
Cybercriminals quickly adopted the malware upon its release in 2019 because of its user-friendly Malware-as-a-Service (MaaS) model, which provided them with a quick and easy way to make money by stealing sensitive data.