The authors of “Raccoon Stealer,” one of the prolific data stealers of 2021, have launched a brand new and improved model of the malware simply three months after shutting down operations following the demise of its lead developer in Ukraine.
Researchers from French cybersecurity vendor Sekoia this week reported stumbling upon lively servers internet hosting Raccoon Stealer information whereas trying to find indicators of the malware earlier this month. Sekoia’s subsequent investigation confirmed the authors of the malware had been promoting the brand new model through their Telegram channel since a minimum of Could 17.
Sekoia stated its evaluation confirmed the authors of Raccoon Stealer have rewritten the malware and administrative panel for it, from scratch. The main target of the trouble seems to have been on enhancing the stealer’s efficiency and effectivity. At its core, the brand new Raccoon Stealer stays a basic data stealer, with an additional give attention to cryptocurrency wallets. It’s designed to steal passwords, cookies, bank card knowledge, and autofill kinds from most fashionable browsers. The malware can steal from a variety of desktop crypto wallets together with Electrum, Exodus, MetaMask, and Coinomi.
New and Improved
Sekoia discovered Raccoon Stealer V2 to additionally characteristic capabilities — akin to a file grabber for all disks and a built-in file downloader — for exfiltrating information for compromised programs and loading different software program on the programs. Extra capabilities embody screenshot capturing, keystroke logging, and utility enumeration. “It is price noting that the malware implements virtually no protection evasion strategies, akin to anti-analysis [or] obfuscation,” Sekoia stated in a report summarizing its evaluation this week. Nevertheless, count on the malware authors so as to add these capabilities quickly, the safety vendor stated.
A number of safety researchers had absolutely anticipated Raccoon Stealer to resurface when its builders introduced they have been stopping operations on March 25. The malware, which first surfaced in 2019, is extensively considered one of the efficient data stealers in latest reminiscence. Racoon Stealer’s builders initially distributed it through a malware-as-a-service mannequin that allowed different criminals to lease and use the stealer for a portion of the earnings.
Over time, criminals started distributing it in different methods as effectively, together with by planting it on web sites promoting pirated software program. Final August, researchers from Sophos reported criminals dropping the malware from websites that have been optimized to floor excessive on Google search engine outcomes when folks looked for sources of pirated software program. In that marketing campaign, Sophos concluded the criminals distributing Raccoon Stealer have been doubtless utilizing “droppers-as-a-service” to distribute the malware. Sophos researchers additionally noticed attackers utilizing a Telegram channel to ship the tackle of the command-and-control gateway to programs contaminated with Raccoon Stealer. The safety vendor surmised that Raccoon Stealer attackers had begun utilizing the Telegram channel to make it tougher to find the malware’s command and management infrastructure.
Resurfacing on Cue
In January 2022, Bitdefender’s Cyber Risk Intelligence Lab noticed the operators of the extensively used RIG Exploit Equipment embody Raccoon Stealer of their equipment. Nevertheless, when Raccoon Stealer’s builders introduced they have been quitting, the authors of RIG rapidly swapped out the malware for the older however nonetheless common Dridex banking Trojan. Just lately, criminals have additionally used pretend installers for reliable software program — akin to VPNs from F-Safe and Proton — to distribute Raccoon Stealer.
In a report final week, Bitdefender predicted that Raccoon Locker would return regardless of the setback that pushed the builders to ceasing operations in March. It is an evaluation that Sekoia shared this week. “We count on a resurgence of Raccoon Stealer v2 as builders carried out a model tailor-made to the wants of cybercriminals and scaled their spine servers to deal with massive hundreds,” Sekoia stated.
