LummaC2 and Raccoon Stealer: The Rise of Certificate Abuse in Malware

Raccoon Stealer

Of late, cybercriminals have deployed an increasingly sophisticated technique, abusing certificates to disseminate malicious software. Their primary objective is the theft of credentials and other confidential data, with some endeavors aiming at cryptocurrency pilfering.

This campaign leverages search engine optimization (SEO) poisoning, delivering search results that lead to malevolent pages offering cracked software.

While the site’s forefront promotes illicit ‘cracks,’ in the background, the victim’s computer is infiltrated with remote access trojans known as LummaC2 and RecordBreaker (also referred to as Raccoon Stealer V2). This revelation was articulated in a report by researchers from the South Korean entity, ASEC.

Beyond the delivery via websites offering unauthorized software, the propagation of RecordBreaker through platforms like YouTube and other malicious applications was observed.

It’s crucial to highlight that the malware employs atypical certificates, bearing unusually elongated strings in the ‘Subject Name’ and ‘Issuer Name’ fields, rendering them imperceptible to Windows systems. These signatures incorporate languages divergent from English, including Arabic and Japanese, along with unique symbols.

The most recent malicious specimen scrutinized by researchers witnessed in active assaults, encompasses a line of malignant code designed to load and execute PowerShell commands.

Furthermore, similar samples of this kind have been consistently distributed with slight structural variations for over two months, suggesting a specific intent behind this action,” commented an ASEC researcher.

Although such certificates might likely fail signature validation, they can still confound and potentially bypass certain protective mechanisms. Overall, certificate misuse has seemingly become a routine tactic deployed by threats.

LummaC2 and Raccoon Stealer are no strangers to cybersecurity experts. Once embedded, they can relay sensitive data, encompassing browser-saved credentials, documents, cryptocurrency wallet files, and more.

Researchers from AhnLab Security vehemently advise Windows users to exercise caution when downloading software online, especially from platforms distributing unauthorized software. Trust in a previously used site is no longer a guaranteed safeguard.