A new infostealing malware that can extract delicate sources of information from over 60 applications on a computer rises ashore into the malware scene and has been gaining popularity in various cybercriminal forums.
Raccoon infostealer, as it is called, has risen to popularity due to its low price and generous features even if the malware just came out into the spotlight for the first time over a year ago in April 2019.
You Can Read More About Malware here: What is Malware?
The malware, also commonly known as Legion, Mohazo, and Racealer, had its initial promotion only on Russian-speaking forums. It, however, was also soon introduced into the English-speaking threshold. The Raccoon infostealer is distributed under the MaaS (malware-as-a-service) model for about $75/week or $200/month.
At such a low cost, accessibility to an administration panel that lets them utilize the malware in accordance to their liking, accessibility to stolen data, and the power to download builds of the malware are within one’s reach.
Why Cybercriminals Love the Raccoon Infostealer
Due to this, an influx of cybercriminal customers have surged in. Many of whom lack the proper technical knowledge but do compensate in business experience.
Despite far from being a complex tool and written only in C++ according to an analysis by CyberArk, the malware is capable of stealing sensitive data and restricted information from almost 60 different programs including browsers, cryptocurrency wallets, email and FTP clients.
Among the list of targets include popular browsers that we currently know. These browsers include:
- Google Chrome
- Mozilla Firefox
- Microsoft Edge
- Internet Explorer
- UC Browser
- Along with more than 20 other solutions robbed of cookies, history, and auto-fill information.
What the Raccoon Infostealer does
In addition to that, Raccoon is also capable of scanning the system to find wallet.dat files no matter where they have been stored, and hot cryptocurrency apps such as Electrum, Ethereum, Exodus, Jaxx, and Monero are of interest.
In the program, there’s also an email client software category; this is what Raccoon looks for, data from at least Thunderbird, Outlook, and Foxmail.
CyberArk researchers state that the malware depends on a route of locating and copying files with restricted information, applying extraction and decryption routines, and settling the information in a text file ready for exfiltration.
Additional features of the malware include collecting system details (OS version and architecture, language, hardware info, enumerate installed apps).
Toggling Malware Configuration
In the event that there are people interested about it, users may readjust the malware’s configuration file to take numerous photos of the affected systems’ screens and to pose as a dropper for other malicious files which consequentially turns it into a stage-one attack tool.
However, the model is not known for its immediate benefits as it is instead useful for increasing permissions on the system or for moving to other computers on the network.
After fulfilling all its stealing capabilities, it gathers all the files that it wrote to temp folder into one zip file named Log.zip. Now all it has to do is send the zip file back to the C&C server and delete its trace, as quoted from CyberArk.
The program undergoes regular updates
Raccoon, like any other malware, is often updated and fixed for looming issues, new functions, and capabilities. New versions have extended its reach towards other targeted applications like FileZilla and UC Browser and have now the option to encrypt malware builds straight from the administration panel and getting them in DLL form.
In spite of not using any special or tricky techniques, Raccoon remains one of the most popular infostealers on cybercriminal forums. A report from July 2019 shows that it was one of the best selling malware in the underground economy as noted by Recorded Future.
In a three (3) month threshold, researchers from Cybereason also state that the model enjoys positive reviews from the community as far as being praised and endorsed by various actors.
However, critiques are inescapable due to its simplicity and lack of features. The affected number ranges to hundreds of thousands of computers albeit the program’s simplicity. Technical features are not what is sought after by attackers but a good balance between price, accessibility, and capabilities in choosing a malicious tool to utilize.
As stated by CyberArk, there are usual attackers that even new and novice users can purchase. With the Raccoon Malware, it’ll still be dangerous for them.
What used to be reserved for more sophisticated attackers, now even novice players can buy stealers like Raccoon with the intention of getting their hands on an organization’s sensitive data.”
What we should do?
Security researchers noticed that among the delivery methods used for Raccoon exploit kits, phishing, and PUA (potentially unwanted applications) are the most used.
Fraudulent emails consisting of Microsoft Office files with malicious macros are delivered to potential victims in phishing campaigns while exploit kits are usually delivered on websites to scope for a victim with any potential browser-based vulnerabilities before being sent the appropriate exploit kit to leverage them.
To date, the Raccoon infostealer continues to be supported by a team and is ongoing development that doesn’t seem will halt any soon.
Although the malware is not the most sophisticated tool at hand, its popularity among cybercriminals persists. What used to be unattainable is now deemed possible for novice players all thanks to the malware.
Even if newer and younger malware and other types of dangerous software are springing to life, we, as people, should be careful and cautious about how our activities are. TechRadar reports that the Raccoon Infostealer can affect all browsers; so whatever you use, you’re not safe.
Let us all be cautious and wary of this newer and younger type of malware as it’s one of the most famous malware in the market for cybercriminals. Defend your data; and take good care of your personal information.