CTI Roundup: Monti ransomware targets VMware ESXi servers with new Linux locker

Up first in this week’s roundup is a look at the developers behind the notorious Raccoon Stealer malware, and the end of their hiatus from hacker forums. Next, CTI covers Mandiant’s tracking of threat actor interest in AI capabilities. Finally, CTI wraps up with a breakdown of the Monti ransomware operation after a two-month break.

1. Raccoon Stealer malware reappears

The developers behind the notorious Raccoon Stealer malware have ended their hiatus from hacker forums and are back promoting a new version. This discovery comes a few months after one of its main operators was arrested due to its role in the Raccoon malware-as-a-service (MaaS) operation.

Racoon Stealer: A brief introduction

Raccoon Stealer was first observed in 2019, when it was being advertised across various cybercriminal forums as an information stealer. The malware gained popularity due to its simplicity, as it omitted many advanced features and focused more on enabling stealing.

Raccoon incidents frequently begin during malspam campaigns, with the delivery of malicious attachments. The malware also spreads via third-party exploit kits and other malware families.

In October 2022, one of the main Raccoon Stealer operators who was responsible for the infrastructure of the operation was arrested. The FBI was able to collect stolen data from multiple computers that were infected with the malware. This arrest temporarily halted the operation — until recently, when Raccoon announced its return in a hacking forum post.

Raccoon’s new features

• Quick search for cookies and passes: A new admin panel offers a simple way to search for URLs. This feature makes it fast and easy to locate specific links within large datasets — even when dealing with millions of documents and thousands of different links. The addition of a quick search component marks a significant step forward for the malware, providing a new level of convenience for threat actors.
• Automatic bot blocking and panel display: The info stealer has a new system for detecting unusual activity patterns such as multiple accesses from the same IP address or range. This suspicious behavior results in the automatic deletion of records associated with the activity, making it harder for security tools leveraging automation and bots to detect the malware.
• Reporting system: A reporting system was added in this version to block IP addresses used by crawlers and bots, preventing them from monitoring Raccoon traffic.
• Log statistics: Log statistics allow threat actors that purchase the info stealer to view the top countries by the number of logs.

Additional observations

Behavior and capabilities

Raccoon Stealer targets a range of applications, using specific techniques to steal data. It will extract the application file that contains sensitive data, copy it to a temp folder, and create/write a text file to the application’s folder with the stolen data.

To obtain and decrypt the credentials from applications, it will acquire and download the DLLs associated with the application. The stolen data is compiled in a log.zip file before being sent to the threat actor’s command and control (C2) server.

Control panel

Raccoon subscribers also have access to a centralized control panel on a Tor onion service. The panel enables them to generate and manage campaign configurations, build Raccoon malware payloads, and view stolen data. It’s available English and Russian and is accessed via a username and password, which is presumably received when subscribing.

The control panel leverages JavaScript resources that can be accessed without authentication. This allowed researchers to determine some current functionality. It also exposes text related to the user agreement and FAQ sections. The exposed JavaScript resource revealed the following menu options available to Raccoon’s administrators: all logs, statistics, news, proxies, and users.

Statistics panel

A statistics panel provides an overview of active Raccoon Stealer campaigns. The account section displays the current balances, likely related to subscription funds. It also shows the configuration option for MFA and a password reset function.

Builds/config

Based on the FAQ portion, subscribers can generate single build, although multiple configurations are also supported and can be updated/downloaded from the C2 mid-campaign.

After defining and selecting a configuration, the build process enables the threat actor to create a DLL or executable to deliver and launch the payload. The new Raccoon MaaS also allows the newly built payload to be tested in a VM maintained by the Raccoon operators. The test will send a notification to the subscriber via the control panel, alerting them of successful execution and communication with the C2.

Payload

Many threat actors are now using malicious document attachments to deliver Racoon payloads during malspam campaigns.

Each payload attempts to communicate with seemingly benign or legitimate URLs, during which an encrypted string is gathered/processed to retrieve the true C2 URL. It currently communicates with websites offering Telegram URL shortening services.

Raccoon Stealer extracts credentials, cookies, and payment card data from many web browsers and cryptocurrency wallets. In addition to data theft, the malware will gather system information including details of the build version OS, hardware, and installed apps. An exfiltration zip archive is used to upload this data to a C2 gate server.

Additional payloads

Once Raccoon Stealer completes its data exfiltration, the threat actor can initiate the download/execution of additional payloads. These payloads will change depending on the threat actor’s end goal. Some recent observations include deploying additional malware to maintain remote access as well as cryptojacking payloads.

Analyst comments from Tanium’s Cyber Threat Intelligence Team

“The updates to the notorious Raccoon Stealer malware reveal how sophisticated its operators are becoming. It also demonstrates that FBI involvement and arrests are not always enough to take down threat actors and malware operators.”

“The addition of a VM environment for threat actors to detonate and test their Raccoon builds is rather novel and will likely make the info stealer more appealing.”

2. Generative AI use remains limited despite rising interest

For the past few years, Mandiant has been monitoring threat actors’ interest in AI capabilities. Based on their observations, the adoption of AI in attacks remains limited and primarily related to social engineering.

That said, AI is actively being used in the wild with operations actors currently using AI-generated content in their campaigns.

Leveraging generative AI in information operations

According to Mandiant, AI technologies have the potential to significantly augment threat actors’ capabilities.

This is because generative AI enables amateur threat actors to create higher quality content at scale, while eliminating linguistic barriers. AI-generated content may also be more persuasive. An example of this can be seen in AI models that are trained on real individuals voices for audio fabrications.

The adoption of AI among operations actors

The adoption of AI will likely vary by media form. This is due to the availability of tooling and the effectiveness of each media form to invoke an emotional response.

• AI-generated imagery: Mandiant has identified several instances of operations leveraging AI generated images. The public availability of tools that create AI generated images have likely contributed to its frequent usage. Threat actors have taken additional steps to obfuscate the AI generated origin of their profile photos by adding filters or retouching facial features.
• AI-generated video: Publicly available AI video technology currently consists of video templates with customizable AI-generated avatars reciting voice-to-text speech and video manipulation tools like face swapping services. Mandiant has observed these technologies in campaigns in recent years. For example, threat actor Dragonbridge previously used an AI-generated presenter in a campaign.
• AI-generated text: Mandiant has only observed one instance of information operations actors referencing AI-generated text. However, Mandiant anticipates that the recent emergence of publicly available tools could lead to rapid adoption.
• AI-generated audio: Mandiant has observed little to no use of AI-generated audio. They have observed users of such technologies, like 4chan, create audio tracks of public figures making inappropriate statements.

Improving lure materials

Threat actors can use large language models (LLMs) to generate more convincing material tailored to specific audiences, even without understanding the target’s language. LLMs enable threat actors to create text output that is effective in phishing campaigns.

Mandiant has also observed evidence of financially motivated actors using manipulated video and voice content in business email compromise (BEC) scams. There have also been cases of AI-generated voice impersonation scams in which the threat actor poses as a family member of the victim to elicit an emotional reaction.

Analyst comments from Tanium’s Cyber Threat Intelligence Team

“There’s been a lot of talk lately of what AI could do to the threat landscape, and how it can enable threat actors. Mandiant does a nice job outlining some of the scary potential situations it could cause, but also provides a small sense of relief by noting its limited use in the wild thus far.”

“Since we know threat actors are regularly evolving their TTPs to respond to new technologies, it’s unsurprising that many researchers are anticipating increased usage of AI in campaigns in the future.”

3. Monti ransomware targets VMware ESXi servers with new Linux locker

The Monti ransomware operation has returned after a two-month break from listing victims on their data leak site.

Monti ransomware is now using a new Linux locker to target VMware ESXi servers. The previous locker was heavily based on the leaked code from Conti, but researchers have found the new variant to have significant deviations from its Linux-based predecessors.

About Monti ransomware

Monti ransomware has both Windows and Linux-based variants and first started gaining attention in June 2022 due to its resemblance to Conti ransomware. The operation has leveraged many widely recognized TTPs of the nefarious Conti group in addition to using much of Conti’s leaked source code.

The Monti ransomware group seemingly took a two-month break from exposing victims on their data leak site but have since resumed operations targeting victims in the legal and government sections. With their return comes a new Linux-based variant of Monti.

Previous Monti Linux variants were largely based on Conti source code, while this new version employs a different encryptor with some distinct behaviors. At the time of this discovery, only three vendors had tagged this variant as malicious on VirusTotal. Trend Micro compared this variant to older Monti Linux variants and found a similarity rate of 29%, indicating several changes must have been made.

Infection marker

A new addition to this variant is that it appends the bytes MONTI followed by an additional 256 bytes that is linked to the encryption key. The ransomware will check whether the file size is 261 bytes or below, corresponding to the size of the infection marker it appends after encryption.

If this is true, the ransomware will proceed with its infection process. If this is not true, Monti will check the last 261 bytes of the file to confirm the presence of the MONTI string. If already encrypted, the file will be skipped.

Encryption

Trend Micro has determined that this new ransomware variant employed AES-256-CTR encryption using evp_enc from the OpenSSL library, compared to Salsa20 which was used in the old variant. The new sample also employs various encryption methods for files, relying solely on the file size for its encryption process.

The ransomware will only encrypt the first 100,000 bytes of the file, appending its infection marker at the end of the file if it is larger than 1.048MB but smaller than 4.19MB. If the file exceeds this size, it will employ a shift right operation to calculate the total size of the file to be encrypted. All files with a size smaller than 1.048MB will be encrypted.

Like previous variants, all files are appended with the .monti file extension. The ransom note, readme.txt, is also dropped to every directory. What’s more, Trend Micro observed a decryption code that suggests the actor may be testing its functionality. However, this decryption code was found to be ineffective since it requires a private key that is known only to the author.

Analyst comments from Tanium’s Cyber Threat Intelligence Team

“Monti ransomware never made many headlines in the news due to its relatively low attack volume, but that’s not to say that it should be ignored as a threat.

The threat actors behind this operation are now starting to stray from strictly using leaked Conti source code and are adding in new features of their own. Monti is following in the path of many other ransomware gangs by working to enhance its ability to evade detection.”

---

Do you have insight into these stories that you want to share? Head over to Tanium’s discussion forum to start a conversation.

For further reading, catch up on our recent cyber threat intelligence roundups.