Security News > 2022 > March > Raccoon Stealer Crawls Into Telegram
Early on, attackers were seen delivering Raccoon Stealer via an.
"Taking into account that Raccoon Stealer is for sale, its distribution techniques are limited only by the imagination of the end buyers," he wrote.
In addition to being spread by two loaders - Buer Loader and GCleaner - attackers also are distributing Raccoon Stealer via fake game cheats, patches for cracked software - including hacks and mods for Fortnite, Valorant and NBA2K22 - or other software, Martyanov wrote.
The report detailed how the latest version of Raccoon Stealer communicates with C2 within Telegram: There are four "Crucial" values for its C2 communication, which are hardcoded in every Raccoon Stealer sample, according to the post.
To hijack Telegram for its C2, the malware first decrypts MAIN KEY, which it uses to decrypt Telegram gates URLs and BotID. The stealer then uses Telegram gate to get to its real C2 using a string of queries that eventually allow it to use the Telegram infrastructure to store and update actual C2 addresses, Martyanov wrote.
Avast Threat Labs collected about 185 files, with a total size of 265 megabytes - including downloaders, clipboard crypto stealers and the WhiteBlackCrypt ransomware - that were being distributed by Raccoon Stealer.