Hunting the Raccoon: How a Trojan Creator Exposed Himself and His Clients
Stories about how antivirus companies track down malware authors always attract genuine interest from a wide audience. Even though, in most cases, these exposures happen because the malware creator made a fundamental mistake somewhere. That’s exactly what happened this time: the author of the trojan not only exposed himself but also gave away his clients, much to the delight of cybersecurity specialists. This case clearly illustrates how such investigations are conducted and what information can be uncovered by paying attention to seemingly minor details.
How It All Started
It began when our malware lab received several samples of a stealer trojan. These samples differed in some technical details but were clearly created by the same author. The trojan had the standard set of features for this type of software: searching for and collecting saved passwords and browser cookies, copying text files, images, and documents from a list, stealing passwords from FTP clients, as well as accounts from Telegram and the Steam client. Everything the stealer collected was packed into an archive and uploaded to a cloud storage service: in one version, to Yandex.Disk, and in later modifications, to pCloud.
They say laughter is the best medicine. If that’s true, then the virus analysts who examined these stealer samples probably gained a few extra years of life.
Distribution Methods
One of the early versions of the trojan was spread via YouTube—through links in comments left by several fake accounts. The videos were about using cheats and trainers in popular games, and the links supposedly led to downloads for these applications. So, the campaign was apparently aimed at cheater gamers, with one of the goals likely being to hijack Steam accounts. The malicious software links were also actively promoted on Twitter.
Another modification of the trojan was multi-component: besides the main spyware module, it included a scanner written in Go to detect installed browsers, and a separate utility to pack the stolen files into an archive and upload them to the cloud. The trojan’s dropper was written in AutoIt, which gave researchers a unique challenge. To spread this trojan, the attackers came up with an original method: they contacted owners of popular Telegram channels, offering to advertise a program that allowed users to connect to Telegram from multiple accounts at once. The application could be tested—potential victims were sent a link to an executable file that contained the trojan.
Inside the Stealers
All the stealer samples we analyzed were written in Python and converted into executable files using py2exe. The trojan code was as clumsy and dull as a fruit knife. For example, the Python function os.listdir() returns a list of strings, each representing a directory name. Normally, these values are parsed in a loop. However, the trojan’s author inexplicably joined the list into a single string with spaces and searched for matches using a regular expression:
steam = os.listdir(steampath)
steam = ' '.join(steam).decode('utf-8')
ssfnfiles = findall('(ssfn\\d+)', steam)
They say laughter is the best medicine. If that’s true, then analyzing this code gave virus analysts a few more years of life, because it’s impossible to look at such “brilliant” code without laughing:
if score is 0:
pass
if score is not 0:
exit(1)
Apparently, the malware author hadn’t yet mastered the complex syntax of if score != 0: exit(1), or maybe he just wasn’t cut out for programming. The latter was later fully confirmed.
When compiling a script, the Python interpreter saves the name of the original script in the bytecode. The name we extracted from the executable was quite telling: enotproject (“enot” means “raccoon” in Russian). In the AutoIt dropper, the path to the project files folder was preserved: \Users\User\Desktop\Racoon Stealer\build\. A quick Google search for “Enot” and “Racoon Stealer” led us to a Lolzteam page, where a user named “Enot Pogromist” was selling these very trojans and even offering master classes on writing stealers in Python.
The Raccoon’s Trail
Our “Raccoon” turned out to be quite a character: not only was he a malware developer, but also a video blogger, the author of a channel about malware development, and the owner of a GitHub account where he posted his own trojans as source code.
Since “Enot” left a significant digital footprint, analysts quickly identified several technical domains he used to distribute his malware, as well as three personal email addresses. His mobile phone number was also found online, and it was linked to a Telegram account he used for feedback. The collected information about the stealer samples, videos, domains, and email addresses formed a clear map of the malware author’s connections and technical resources.
The Funniest Part: Exposing the Clients
The funniest part was in the trojan code. Clients who bought stealers from “Enot” were instructed to register an account on the pCloud cloud storage service, where the trojan would automatically upload the stolen, archived files from infected computers. The login and password for each client’s account were hardcoded into the stealer’s code, almost in plain text, making it easy to extract them.
And the buyers themselves were, for the most part, shining examples of intelligence and cunning: many ran the stealer on their own personal machines (probably for testing), which resulted in their personal files being uploaded to the cloud storage—where, thanks to “Enot,” anyone could access them. Some especially “gifted” individuals even used their personal email addresses as the pCloud login, linked to real social media profiles. And, of course, they used the same password everywhere.
Conclusion
It’s amazing how much personal information people willingly leave online.
Since “Enot Pogromist” kindly leaked his clients’ private information, it would have been foolish not to look into what they do in their spare time. It turned out that many of them also used other stealers, widely sold on various forums. The information we found led to different online resources: one by one, we discovered personal social media pages, YouTube channels, email addresses, mobile phone numbers, e-wallet IDs, and more. Some of “Enot’s” clients owned websites—using Whois, we found the names of the administrators of their domains. One “notorious hacker” even had an online diary, just like any schoolkid.
As a result, all buyers of the Raccoon stealers were quickly identified, de-anonymized, and detailed dossiers were compiled on each and neatly filed away. Sometimes, raccoons can be extremely helpful in the fight against cybercrime.
In short, friends, sometimes all it takes to track down a virus author is paying close attention to the details—this can lead to a big and successful investigation.