The last time this publication reported on the Raccoon info stealer malware, was when it was being dropped by Legion Loader as an additional payload along with several other malware variants. Raccoon has yet again popped up on the researcher’s radar, which is unsurprising given how popular on underground forums the malware has become of the last year. Raccoon proves that what was once cutting edge a few years ago, can be offered now for a modest price but still retain its effectiveness. While Raccoon does to rewrite the book on malware development it has undergone constant upgrades while been offered as a malware-as-a-service (MaaS) and continues to be a threat despite its lack of sophistication.
MaaS operations look to emulate the popular software-as-a-service business model but rather than renting out software, malware developers provide access to the malware for a fee. Often the service includes a client portal as well as technical support. Info stealers, malware designed to harvest information like login or banking credentials and send the data to a command and control server under the hacker’s control, have become popular products offered on underground forums with Raccoon being one of the most popular, often seen receiving positive customer feedback and glowing reviews. One of the major contributors to the popularity of Raccoon is the list of features it provides which is constantly been added to by the malware’s developers. The generous price the service is been offered at doesn’t hurt its popularity either. When first discovered in April 2019 the malware was been offered at 75 USD per week or 200 USD per month. It was initially offered on Russian underground forums but soon was been advertised on similar English speaking forums.
The latest version discovered and reported on by CyberArk found that the malware is written in C++ but is far from being complex. This does not mean that the malware is ineffective as Raccoon is still capable of stealing sensitive information from nearly 60 apps, with browsers, cryptocurrency wallets, email, and FTP clients all being targeted by the info stealer. Raccoon targets all the most popular web browsers and more. Currently the malware targets Google Chrome, Google Chrome (Chrome SxS), Chromium, Xpom, Comodo Dragon, Amigo, Orbitum, Bromium, Nichrome, RockMelt, 360Browser, Vivaldi, Opera, Sputnik, Kometa, Uran, QIP Surf, Epic Privacy, CocCoc, CentBrowser, 7Star, Elements, TorBro, Suhba, Safer Browser, Mustang, Superbird, Chedot, Torch, Internet Explorer, Microsoft Edge, Firefox, WaterFox, SeaMonkey, and PaleMoon.
It is not only browsers that are of interest to Raccoon but also cryptocurrency apps and email client software. Raccoon targets Electrum, Ethereum, Exodus, Jaxx, and Monero by searching for their wallet files if stored in the default locations on the victims PC. Further, Raccoon can also scan for wallet.dat files and grab them regardless of where they are stored. As to the targeted email client packages, Raccoon looks for data from at least Thunderbird, Outlook, and Foxmail. Once the information Raccoon scans for is found it is then copied and sent to a text file which is then exfiltrated to a command and control server. Additionally, the malware is capable of collecting system details, including OS version and architecture, language, hardware info, and installed apps. Attackers can also customize Raccoon's configuration file to snap pictures of the infected systems' screens. Additionally, the malware can act as a dropper for other malicious files, essentially turning it into a stage-one attack tool. This ability to potentially drop other malware can be used for immediate financial gain as the information stolen by the malware will not always allow for immediate financial gain. Rather, the information is often better suited for increasing privileges on the machine as well as spreading to other computers across a network.
You don’t need to be Special to be Popular
There is nothing new about Raccoon tactics and operations but this has very little bearing on its effectiveness and popularity amongst hackers lacking the skills needed to develop their malware strains. Just as software-as-a-service companies look to improve the product offered by fixing bugs and improving features, Raccoon does as well. In one of the versions analyzed researchers noticed the version extended support for targeted apps, adding FileZilla and UC Browser, and adding the option to encrypt malware builds straight from the administration panel and getting them in DLL form. This pattern of constant improvement has been a defining trait of Raccoon since it emerged on underground forums.
In June 2019, only a few months after its discovery Recorded Future noted that it had fast become one of the best-selling malware strains on forums. A mere three months after the Recorder Future report, Cyber Reason noted that the malware was enjoying positive reviews from the community, many actors praising and endorsing the malware. Established members, though, criticized its simplicity and lacking in features present in other info stealers. This criticism was duly noted as Raccoon continues on an aggressive development cycle and despite its apparent simplicity, the malware has racked up hundreds of thousands of infections. As to the danger posed by Raccoon researchers at Cyber Ark stated,
“This kind of information stealer can cause a lot of damage to individuals and organizations. The attackers are looking for privileged credentials in order to achieve privilege escalation and lateral movement. What used to be reserved for more sophisticated attackers is now possible even for novice players who can buy stealers like Raccoon and use them to get their hands on an organization’s sensitive data. And this goes beyond usernames and passwords to information that can get them immediate financial gain like credit card information and cryptocurrency wallets.”