Additional reporting by Edvardas Mikalauskas
As the COVID-19 pandemic was sweeping the world in spring, staying informed and up-to-date about the novel coronavirus was vital to everyone on the planet. People - paralyzed with fear of becoming the pandemic's next victims - began devouring any information they could find about the virus on the internet, often foregoing caution and becoming vulnerable to cybercriminals who were quick to prey on the public's panicked state.
Now that the second wave of the pandemic is already visible in many countries, another scramble for information about the virus seems just as certain. Will the public be caught off guard by cybercriminals again, just like it happened in spring and early summer? During the early months of the first wave, people were bombarded with phishing emails that pretended to help them deal with the COVID-19 outbreak, but instead installed the malicious spyware known as Raccoon Stealer onto victims’ computers.
Raccoon Stealer is known for stealing victims’ credit card data and email credentials, and has been making its rounds earlier this year, especially during the first few weeks after the coronavirus impacted Western countries.
Having made the rounds over and over again during the first ware of the pandemic, it's more than likely that we'll be seeing Racoon Stealer's return alongside COVID-19 phishing campaigns later in the year, as new record highs in daily cases and fears of a second global outbreak make people more susceptible to fake emails and websites that masquerade as coming from legitimate health organizations.
Such cyberattacks are among the main reasons why users are advised to have up-to-date antivirus programs on their computers to detect and delete Raccoon. With a second wave of the pandemic looming over the horizon, here at CyberNews we wanted to analyze which antivirus programs were able to effectively detect Raccoon Stealer once it ends up on a user’s computer.
More than that, we also know that bad actors don’t normally use raw versions of the malware – instead, they encrypt it to further evade detection. In that way, we also wanted to test which antivirus programs could detect not just the raw Raccoon file, but also 3 other versions of the malware encrypted using different crypting services often used by bad actors.
Out of the 10 antivirus programs we analyzed using static analysis, only 2 were able to automatically detect all variations of the malware.
About this research
In order to carry out this research, we downloaded (very carefully) the infamous malware named Raccoon Stealer. We then loaded this onto our Windows 10 virtual machine as a Zip file. From there, we created four versions:
- The extracted, raw malware executable file
- The Raccoon file encrypted with a free crypter
- The Raccoon file encrypted with two separate paid crypters
Windows’ default antivirus program, Windows Defender, was turned off, so that at any time only one antivirus program was active. The programs were individually installed and tested by performing static analysis, and then the VM was reset.
The program was allowed to detect the malware first upon its automatic initial check (a type of “real-time protection”). If nothing was detected automatically, we ran a quick scan. If still nothing was detected, we ran a full scan.
Summary of our results
- Only ESET and AVG were able to automatically detect the Raccoon malware in all its forms
- Avira and F-Secure detected the malware in all its forms only after we ran a full scan, but did not detect it automatically
- Dr. Web completely failed to detect any forms of the malware, while Kaspersky, Bitdefender and Bullguard only detected 1 of the 4 forms of the malware
- Trend Micro and Avast were not able to detect all forms of the malware
- We checked the detection rates of these different antivirus programs using static analysis
The table below presents our full results as either a yes or no. A “Yes” with an asterisk (*) indicates that the malware was detected only after a manual full scan.
|App Name||Raw file||Free Crypter||Paid Crypter #1||Paid Crypter #2|
|Bitdefender antivirus plus||NO||YES||NO||NO|
|Windows Defender (default AV)||YES||YES||NO||YES|
What is Raccoon Stealer?
First seen in April 2019, Raccoon Stealer (alternatively known as Legion, Mohazo, or Racealer) is an infostealer spyware that is used to steal your credit card information, cryptocurrency wallets, browsing data, and more. Unlike in the movies, there is no red warning screen or a nifty “You’ve been hacked” note when the malware is launched.
While this malware is not advanced by any definition, it is a very popular malware-as-a-service (MaaS), where the makers charge buyers $75/week or $200/month to use this ready-made stealer. It is also constantly developed, increasing its anti-debugging, anti-analysis and antivirus-evading techniques to keep itself hidden while it scrapes your passwords, cookies, and crypto wallets, and even surreptitiously takes screenshots.
The malware encryptions we used
We used three encrypted forms of the malware (in addition to the raw file) to test how well each antivirus program would perform in detecting it in its various states.
We tested these AV programs based on what we assumed would be three monetary levels that would be reflected in their detection rates (i.e., the free crypter would be the easiest to detect, while the most expensive would be the hardest to detect).
There were four files:
- The raw Raccoon the Thief file (thefile.exe)
- The free crypter file (free-crypted-file.exe)
- Paid crypter #1 crypted file (PC1)
- Paid crypter #2 crypted file (PC2)
- Price: free (trial version)
- Bypassed: Kaspersky, Dr. Web, and Bullguard
The free crypter (FC) labels itself as “the best free crypter available on the internet.” Ostensibly, its purpose is fairly neutral: to help developers prevent reverse engineering and antivirus detections to avoid having free “cracked” versions of their software.
Once installed, the program allowed us to quickly encrypt our malware. On its site, FC states that the full version “is undetected when scanned with the following antivirus programs: Windows Defender, Norton, AVG, Avast, Malwarebytes, McAfee, Panda, Trend Micro.” For the trial version, this was not the case.
Paid Crypter #1
- Price: $30 for 1 month
- Bypassed: Kaspersky, Avast, Bitdefender, Dr. Web, TrendMicro and Windows Defender
The seller behind Paid Crypter #1 advertises his wares on hacker forums and his own website. He claims its purpose is to “Avoid Reverse engineering and bypass most av's.” This crypter is web-based, so there was no need for us to download anything in order to crypt our malware.
We went with the 1-month, $30 package, although a one-time package would’ve met our needs as well. We were interested to see if PC1 could live up to its promise of bypassing detection from Windows Defender (the default antivirus program on Windows 10), Avast, ESET and Kaspersky.
Besides ESET (which was able to detect all variations of this malware), PC1 lived up to its name.
Paid Crypter #2
- Price: $15 for 2 hours
- Bypassed: Kaspersky, Avast, Bitdefender, Dr. Web, and Bullguard
By price and difficulty alone, this should be the hardest version of the malware for AV programs to detect. In order to buy it, you’ll need to either already have a registration on the site, or pay $40 in Bitcoin to register. Beyond that, the site charged us $15 for just 2 hours of use, which at a monthly rate would put that at…$5,400:
This web service even performed an online check of our crypted file to see whether the most common AV programs would detect it. Before we did our AV tests, this file had a 0/46 detection rate, while at the time of publishing it is 4/46.
Nonetheless, we are happy to report that 5/10 AV programs detected the PC2 encrypted malware, as well as Windows Defender.
The winners and losers
The absolute winners in this analysis were clearly ESET and AVG, which immediately detected and automatically removed all four versions of the malware. Avira and F-Secure are both in second place, only because they required manual scans in order to detect and remove the threats.
In fact, after running its automatic initial scan, Avira claimed that our Virtual Machine was free from viruses – which was certainly not true, seeing as all four versions were still present on our Desktop:
The baffling results
Some of our tests were quite frustrating.
While Dr. Web was able to detect nothing at all, its relative obscurity made that result less significant. However, we were disappointed with Kaspersky, which is generally well-known for uncovering complex government-sponsored cyber-espionage and sabotage efforts. In our tests, Kaspersky only detected the raw Raccoon file.
We were also surprised by Bitdefender and Bullguard, which were both able to detect an encrypted version of the malware, but completely incapable of detecting the raw version of the file.
In fact, we even tried to drag-and-drop the raw version of Raccoon into Bitdefender, to no avail:
The free crypter file was removed, but the raw Raccoon remained.
Avast and Trend Micro are sort of “middle-of-the-road” in their performance.
Windows Defender Antivirus and other basics
Windows Defender was able to block three of the four versions, failing only with Paid Crypter #1. We’re putting Defender on the side of our analysis simply because it’s a default-enabled antivirus, and our aim was to see which add-on antivirus program would work the best.
That being said, we appreciate that Windows Defender was able to get 3 of the 4 – but it also shows that it offers “decent” protection for something default, but certainly not the best.
It’s also important for me to emphasize that it was difficult to get Raccoon on our VM in the first place. All of the browsers I tried (Chrome, Firefox, Edge) blocked our file from being downloaded, or deleted it immediately after running their scans.
We were finally able to bypass Edge’s block after turning off Windows Defender’s SmartScreen feature.
Summary and recommendations
It’s important to reiterate that our goal here was to determine which antivirus program was the most successful in detecting a popular coronavirus-related malware using static analysis, not which crypting service was the best to help malware avoid detection. In that, there are only two options: go with either AVG or ESET.
Beyond that, if you have Windows 10 you’ll have decent protection by default. It’ll be hard to sneak coronavirus malware past your browser’s defenses, and even then your Windows machine should detect it, for the most part.
Of course, this doesn’t remove any responsibility from your side to not visit malicious websites, to not download malicious files (or enticing files from strangers), and certainly to not turn off your computer’s basic, default defenses.
Nonetheless, it’s also important to note that AV programs are only as good as their libraries, and these are regularly updated. So, while your antivirus may not detect this malware initially, it should only be a matter of time before it updates its detection abilities.
Lastly, this was merely a static analysis. The results would get much more significant were we to do a dynamic analysis, as we would truly see these AV programs in the wild against these four versions of Racoon Stealer.