Raccoon Stealer Returns With Even Stealthier Version
Written by Karolis Liucveikis on
At PCRisk, we have closely followed the trials and tribulations associated with the Raccoon Stealer spyware, also often referred to as an info stealer. The last time we covered the topic was when Raccoon Stealer 2.0 emerged.
The malware's developers seemed to have taken a 6-month break starting in early 2023 but have now returned with version 2.3.0 of their infamous spyware.
Raccoon has proved popular with other threat actors who rent the malware like one would a software-as-a-service package for approximately 200 USD per month.
At last count, the malware was capable of stealing data from over 60 applications, including login credentials, credit card information, browsing history, cookies, and cryptocurrency wallet accounts.
Raccoon can then exfiltrate the sensitive data to command-and-control servers set up by threat actors. As good as the malware is at its job, the project hit a major obstacle in 2022 when one of the developers was arrested in the Netherlands.
The developer, a Ukrainian national named Mark Sokolovsky, went by several online pseudonyms, including raccoonstealer, Photix, and black21jack77777.
While Dutch police arrested the individual, the FBI and law enforcement partners in the Netherlands and Italy dismantled Raccoon Infostealer's infrastructure and took down the malware's existing version offline.
Earlier that year, the group of developers behind the malware announced that operations would be put on hold following the death of one of its lead developers killed during the invasion of Ukraine.
The announcement was made on Russian-speaking hacking forums. Like many other malware strains, we have seen them go on vacation only to return with a new, revamped version. Raccoon Stealer is no different.
In a Twitter post by VX-Underground, dated August 14, 2023, it was announced,
Today, Raccoon Stealer announced their return. The Raccoon Stealer team informed us that the individual from their team arrested in October 2022 was responsible for infrastructure. Following his arrest, they decided to rebuild the entire infrastructure from scratch.
The post was also given with a screenshot taken from a hacker forum, announcing the malware's return by developers associated with Raccoon Stealer.
The post announced that "they're" back, having spent their time "working tirelessly" to bring them new features that will enrich the user experience.
These new features were implemented after "customer" feedback, requests, and cybercrime trends, aiming to keep the malware in the top tier of the info stealers and spyware packages on the underground market.
New Feature Analysis
According to research conducted by security firm Cyberint, four new features and updates included with version 2.3.0 that have special mention. The first additional feature is quickly searching for cookies and passes. Researchers describe the new feature as follows,
The new Raccoon admin panel introduces a new way to Search for URLs in the latest version. This means finding specific links in large datasets is now.
Much faster, even when dealing with millions of documents and thousands of different links. The
Improvement is not just a minor upgrade – it's a significant step forward and changes how Searches work for those who purchase Raccoon Malware, making them much quicker, even with huge amounts of data.
The second feature allows threat actors to detect unusual activity patterns, such as multiple accesses from the same IP address. This change targets security tools that use automation and bots to detect malware.
If Raccoon Stealer detects such behavior, it automatically deletes records associated with those activities and will update the threat actors dashboard accordingly.
The third additional feature will block IP Addresses used by crawlers and bots often used by Security Practitioners to monitor Raccoon Traffic, used by security professionals to try to keep tabs on the malware.
The fourth feature is an improved log collection suite for better statistics.
Cybeint went on to summarize the malware's behavior and capabilities, noting,
Raccoon targets a wide range of applications and uses specific techniques to extract and harvest data from those applications. Additionally, it is observed that Raccoon performs the same procedure to extract data from its targeted applications:
- Extract the application file that contains the sensitive data.
- Copy the file to a specific folder (%Temp%).
- Create and write a text file to the target application's folder with the stolen information.
To obtain and decrypt credentials from applications, Raccoon acquires and downloads the DLLs associated with those applications.
The report published by Cyberint goes into far more detail on the inner workings of the malware, including admin privileges and the payload itself.
Further, the report details every application, as well as cryptocurrencies and associated wallets targeted by the malware.
Cyberint also provided several mitigation and prevention strategies that will help protect against a Raccoon Stealer infection.
These include:
- Develop and enforce a comprehensive security policy that outlines best practices for employees, including guidelines on password management, email usage, and software updates.
- Provide regular security awareness training to employees to educate them about the risks of info stealer malware, phishing attacks, and safe online practices.
- Implement robust endpoint security solutions, including advanced antivirus and anti-malware software, to detect and prevent info stealer infections on devices used within the organization.
- Ensure that email security controls are applied to limit the delivery of potentially malicious attachments or links to end-users and implement protocols and security controls such as DKIM, DMARC, and SPF.
- Enforce using MFA for accessing sensitive systems and applications, adding an extra layer of security even if credentials are compromised.
- Develop and regularly update an incident response plan outlining the steps to take in an infostealer malware incident. This plan should include isolation, containment, eradication, and recovery procedures.
- Conduct regular security audits and assessments to ensure your security practices align with industry standards and regulations.
- Those using cryptocurrencies should consider using hardware-based wallets and ensure that payment addresses are verified before submitting a transaction.
▼ Show Discussion