The RecordBreaker Stealer is one of the main malware distributed disguised as the download of illegal programs such as cracks and keygens. It first appeared last year and has since been actively distributed to normal users. It is also referred to as Raccoon Stealer V2 and is being distributed through various channels, including websites and YouTube.
CryptBot, which had been actively distributed in the same manner, had completely disappeared since February of this year, and the Vidar malware sometimes makes an appearance, but RecordBreaker has now taken up most distribution cases.
- RecordBreaker Stealer Distributed via Hacked YouTube Accounts
- New Info-stealer Disguised as Crack Being Distributed
Out of the recently distributed samples, one was discovered to have its version information and certificate disguised as those of a Korean software company. A summary of the details will be covered in this post.
While falsifying version information and certificates to imitate famous software has occurred multiple times in the past, it is highly unusual to find version information written in Korean being used to target a Korean company. Additionally, the threat actor included several legitimate library files from the actual software company within the compressed file to make the malware appear legitimate.
From the evening of April 27th to May 1st, six samples disguised as being from this company were discovered during this distribution period. Two version information were used along with one stolen certificate. (*The threat actor was the one that stole these version information and certificate. There is no connection between the company in question and the malware distribution)
The distribution and infection processes of this sample are as follows.
Users end up downloading the “PassKey_55551-CompleteFileT1.rar” file from a distribution site after arriving at one while searching for illegal authentication tools such as cracks or keygens. This compressed file contains another compressed file that is password-protected, “FullSetup.rar,” and a “Read.me.txt” text file where the password is written.
The malware is located within the compressed file that is password-protected. The password is provided either in a separate text file or it is integrated into the filename itself. Decompressing this password-protected file generates a folder containing legitimate files from the company that is being impersonated alongside the executable malware file.
All of the recently distributed samples have been padded to unusual sizes. The size of the actual malware is small, but unnecessary data have been inserted to bloat the size to about 1.2 GB. Previously, the file size of the samples distributed was approximately 300 MB, but recently, they have been gradually increasing in size. A recently collected sample had a file size exceeding 2 GB.
When the malware is executed, sensitive information saved on the user’s PC is collected and sent to a C2. According to the response from the C2, malware can be downloaded and installed from a certain URL.
During the mentioned period, the C2 server responded by installing the ClipBanker malware on the infected system. This malware stays in the system by being registered in the task scheduler, and it replaces the cryptocurrency wallet address in the clipboard with that of the threat actor.
Download URL: hxxp://167.99.47[.]96/S5Y8F9I3F1Q2J6B/37836632498586869767.bin
ClipBanker MD5: 51967006b0c9cab093abcd8d920d271f
Caution is advised as the threat actor is attempting various methods to deceive users. AhnLab Security Emergency response Center (ASEC) automatically collects malware distributed in the method covered in this post as soon as they occur. They are then analyzed and diagnosed in real-time. The relevant information can be found in AhnLab TIP’s Live C&C service.
Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.