The Revival of Raccoon Stealer

Raccoon Stealer has been around since April 2019, and was one of the most prolific information stealers in 2021. It can be used to steal all of the following types of information from a victim’s computer:

• Basic system fingerprinting information, like operating system version and IP address

• Username and passwords

• Cookies

• Autofill text for websites, including credit card data and other personal identifying information that might be stored by your browser

• Cryptocurrency wallet information and cryptocurrency wallet extensions

Information stealing malware, like Raccoon Stealer, is a component of all sorts of identity theft. The booming market on the Dark Web for passwords and other personal information make it a lucrative business for any cybercriminal - and Raccoon Stealer’s Malware-as-a-Service model makes it even easier for anyone to steal your information to make a profit.

“Wait, what is Malware-as-a-Service?”

On the Dark Web, developers will create and sell subscriptions to their malware, even providing customer service support to less tech-savvy individuals. Raccoon Stealer’s prior version, for example, cost $75 per week or $200 per month. This subscription fee gave the buyer an easy-to-use dashboard to customize the malware and retrieve their stolen data, access to customer support, and automatic updates from fixes and improvements by the developer. Raccoon Stealer was particularly popular due to the excellent customer service provided by the developers, infecting more than 200,000 devices before they temporarily shut down operations in March 2022.

Malware-as-a-Service allows newer or less technical hackers and scammers to have easy access to malware, which they then use to gather and sell credentials on the Dark Web. After turning a quick profit and establishing a reputation from these smaller attacks, the hackers and scammers then have access to more advanced or exclusive malware. It also serves as an easy access point for more advanced hackers and scammers to target specific organizations, or even harvest cryptocurrency. Earlier Raccoon Stealer campaigns allowed criminals to steal $13,200 worth of cryptocurrency and mine another $2,900 worth over a six month period, all for the cost of around $1,250.  

“So if Raccoon Stealer was making criminals so much money, why did it go away?”

Well, it turns out that one of the core developers of Raccoon Stealer was lost in the invasion of Ukraine. The developers posted on the Dark Web in March 2022 that one of the key members of their operations is “no longer with us” and they would have to close down Raccoon Stealer. However, they also made it clear that they wouldn’t “say goodbye forever” and are already working on a new version of the malware. As of June 2022, cybersecurity researchers have identified Raccoon Stealer 2.0.  

“What’s so special about Raccoon Stealer 2.0?”

For the most part, Raccoon Stealer 2.0 does the same stuff as the old Raccoon Stealer. It steals the same information and still has the Malware-as-a-Service model that lets cybercriminals easily set up their attacks. So what’s new about it? 

• Improved software, back end, and front end

• New malware and administrative panel, focused on performance and efficiency

• Built-in file downloader 

• File grabber that goes through all disks

• Can operate in 32- and 64-bit systems without any dependencies

• Sends data via individual POST requests instead of sending as a single .ZIP 

The last feature is pretty unusual - sending a POST request every time the malware finds new data increases the risk of the malware being detected. It also ensures maximum effectiveness until the malware is discovered and removed, guaranteeing that at least some information will be sent. It is likely, based on the customer service provided by Raccoon Stealer developers, that antivirus evasion will be built into Raccoon Stealer 2.0 as they continue to make improvements.

“How can I protect myself from Raccoon Stealer?”

Well, that depends. In the past, Raccoon Stealer was deployed in a couple of different ways, and each requires a different kind of defense:

• Masqueraded as legitimate, cracked software. Basically, people who didn’t want to pay for software, like Adobe Photoshop or Microsoft Office, would Google for legitimate software that they didn’t pay for, download it, and Raccoon Stealer would be included in that download. You can avoid this by only downloading software that you paid for from legitimate vendors.

• Email spam campaigns. Raccoon Stealer would be included in malicious email attachments containing macros. You can avoid this by disabling macros, not opening suspicious email attachments, and by recognizing phishing emails and spam.

• DropBox and social engineering. Scammers would use social engineering to trick users into navigating to filesharing sites, like DropBox, via a malicious URL, causing them to download Raccoon Stealer. You can avoid this by understanding and recognizing social engineering, and not clicking on links from people you don’t know or trust.

• Exploit kits. Raccoon Stealer would use the Fallout Exploit Kit to deploy the malware without user interaction - simply browsing the web and navigating to a malicious web page is all it takes to download Raccoon Stealer. The best ways to protect against exploit kits are by keeping your software up to date, using antivirus software and ad blockers, and avoiding suspicious websites. 

Not sure if you or your organization are positioned to defend against information stealing malware like Raccoon Stealer? Hive Systems can help! Our extensive experience in risk identification, remediation/mitigation planning, and implementation will not only help you lower the overall risk to your organization but also give you peace of mind in the process.

Learn more here.

Follow us - stay ahead.

Read more of the ACT