Raccoon might not be the cheapest option on the market but the malware had gained popularity among cybercriminals for its ability to target at least 60 applications, many of which are browsers we use today.
The Raccoon infostealer, also known as Racealer, has attracted a following in underground forums thanks to the aggressive marketing of its wide range of capabilities, use of bulletproof hosting and an easy-to-use backend. The malware is offered at a price of $200 a month and was first spotted by researchers from cybersecurity firm Cybereason in 2019.
While more expensive than other standalone, bareboned offerings, Raccoon’s subscription-based model — which includes technical support, bug fixes, and updates at a relatively cheap Malware-As-A-Service (MaaS) price point — as well as its overall capabilities have made it a worthwhile investment for cybercriminals seeking to steal data and cryptocurrency.
A new analysis of the malware from Cyberark notes that many infostealers aren’t generally sophisticated and use the same variety of techniques to steal information. However, in Raccoon’s case, the C++ malware is able to steal data from 35 browsers and 60 overall applications.
According to Cyberark, Raccoon is generally delivered through phishing campaigns and exploit kits. Fraudulent emails sent to would-be victims contain Microsoft Office document attachments with malicious macros, whereas the exploit kits are usually hosted on websites.
Victims are profiled for any potential browser-based vulnerabilities and based on this analysis, they are redirected to the appropriate exploit kit.
The command-and-control (C2) server, necessary for the transfer of stolen information as well as for remote malware configuration updates, has its address hidden via several layers of encryption.
Raccoon is able to steal financial information, online credentials, PC data — such as operating system types and versions, the language in use, and installed application lists — cryptocurrency wallets, and browser information including cookies, history logs, and autofill content.
The malware targets a wide variety of popular Mozilla and Chromium browsers: Google Chrome, Google Chrome (Chrome SxS), Chromium, Xpom, Comodo Dragon, Amigo, Orbitum, Bromium, Nichrome, RockMelt, 360Browser, Vivaldi, Opera, Sputnik, Kometa, Uran, QIP Surf, Epic Privacy, CocCoc, CentBrowser, 7Star, Elements, TorBro, Suhba, Safer Browser, Mustang, Superbird, Chedot, Torch, Internet Explorer, Microsoft Edge, Firefox, WaterFox, SeaMonkey, and PaleMoon.
In addition, Raccoon attempts to compromise ThunderBird, Outlook, and Foxmail email clients.
Cyberark says the same procedure is in play for each target application. The malware will grab the application files containing sensitive data and copy it to a temp folder, perform routines to extract and decrypt information, write this content to a separate text file, and then send it off to a C2.
“In order to extract and decrypt the credentials from the applications, Raccoon downloads the specific DLLs for the applications,” the researchers say. “The config JSON contains a URL from where the malware will download those libraries.”
Cryptocurrency, too, is at risk. Raccoon will seek out Electrum, Ethereum, Exodus, Jaxx, Monero, and Bither wallets by scanning for their default application folders, and will also attempt to grab their wallet credentials.
Once Raccoon has stolen the data it requires, this information is compiled into a .zip archive file and sent to the C2. It may also act as a dropper for additional malware payloads.
The malware continues to be supported by a team and development is ongoing. Recently, Raccoon was also given the ability to steal FTP server credentials from FileZilla, UI errors were resolved, and the authors also created an option to encrypt custom malware builds from the UI for download as a DLL.
“Even though Raccoon is not the most sophisticated tool available, it is still very popular among cybercriminals and will likely continue to be,” the researchers say. “What used to be reserved for more sophisticated attackers is now possible even for novice players who can buy stealers like Raccoon and use them to get their hands on an organization’s sensitive data.”
Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0