On September 27, 2023, we detected encoded PowerShell commands that were clearly malicious in nature. After contacting the customer and performing emergency containment, we moved to researching the malware and related Indicators of Compromise (IoCs). The malware was determined to be a novel version of the Raccoon Stealer Malware.
Upon our detection, the hash of the Raccoon Stealer MW had only three hits on VirusTotal, so CYDEF was among the first to recognize the program as a threat. Two days later, that number was 25 (out of 61).
While detection and remediation was straightforward, a separate inquiry arose. It was found that the file name of the instance of the Racoon Stealer malware contained non-printable characters that masked the true characters that comprised the file name. This caused the file name to be “unsearchable” if typed as it appeared on screen.
Specifically, the malicious file name we detected was “ChromeSetup.msi”. Clearly a trojan.
But upon searching for the string “ChromeSetup.msi” in our detailed logs, no results were found. Copy/pasting the file name string from the command line above into a hex editor shows why. Bytes 3 through E are non-printable, yet appear onscreen as the string “omeSetup”.
When comparing with the “ChromeSetup” string comprised solely of ASCII chars, the byte differences are easy to spot. Looking only at the non-printable chars, we have Ð(0xD0), ¾(0xBE), µ(0xB5), Ñ(0xD1) and a padding char (0x80).
Side bar on ASCII and UNICODE characters:
ASCII defines the first 128 characters of the Unicode standard, which defines up to 2^21 characters. In other words, Unicode is a superset of ASCII. Not all UNICODE chars are defined (there are 2,097,152 possible UNICODE characters).
Was this intentional on the part of the malware authors? Or was it an error in our log processor/parser? Navigating to VirusTotal and searching the hash of the malware provides several other aliases for the Raccoon Stealer malware.
Copying the various “ChromeSetup” strings from VirusTotal into a hexeditor confirms that the malware alias did indeed have version that were identical to ours.
The purpose of crafting an alias consisting of non-printable characters while displaying as a coherent human-readable ASCII string is unknown, especially since the hash is what identifies the malware and is the primary means of detection. In other words, altering the name of a program does not change its hash. (Upon download of the malware from the customer’s infected device, our AV instance did indeed alert and delete the malware file).
But, this tactic can be employed to foil defenders attempts to locate the malware file on their systems as a simple “CTRL+F” in a folder or log source will not produce any results. (This is indeed the case that we encountered, as detailed above.)
These cases can be confusing for threat hunters and investigators but a simple solution is to copy/paste the string of characters from the alert or log into the search tool. This preserves the original string format and allows the search function to find the file name containing non-printable characters.
And keep this tidbit in the back of your mind: Are you checking for files with non-printable characters in your environment?
Happy hunting! ^_^
Written by Nadine H, P. Eng, Senior Threat Hunter at CYDEF.
