Description
A second major version of the Raccoon Stealer malware, which offers criminals improved password-stealing functionality and more operational capacity, is once again making the rounds on cybercrime forums.
Summary
After shutting down operations in March 2022 due to losing one of the lead developers to the war in Ukraine, the team promised to return with a second version. The malware as a service (MaaS) project Raccoon Stealer has now been relaunched with upgraded infrastructure and more capabilities. The new Raccoon version, which has a new back-end, front-end, and code to steal credentials and other data, was created from the ground up in C/C++.
How it works
According to security analysts, the new Raccoon Stealer can work on 32-bit and 64-bit systems without dependencies and only fetches 8 legitimate DLLs from the C2 server. Additionally, the C2 collects machine fingerprint data, gives the malware its settings (targeted apps, URLs hosting the DLLs, token for data exfiltration), and then waits for certain POST requests containing stolen data. However, analysts have highlighted the absence of modern anti-analysis and detection avoidance mechanisms.
The data stolen by Raccoon Stealer 2.0 includes the following:
Basic system fingerprinting info.
Browser passwords, cookies, autofill data, and saved credit cards.
Cryptocurrency wallets and web browser extensions
Individual files located on all disks.
Screenshot capturing.
Installed applications list.
Remediation
Security analysts did not provide any remediation for this version of the malware, but the Guyana National CIRT recommends that users have a reputable antivirus software installed on their systems, do not click on links in emails from unknown sources and pay close attention to URLs when browsing or shopping online.
The Guyana National CIRT recommends that users and administrators review these recommendations and implement them where necessary.
PDF Download: Raccoon Stealer is back.pdf
References
Toulas, Bill. (28th June 2022). Raccoon Stealer is back with a new version to steal your passwords. Retrieved from Bleeping Computer. https://www.bleepingcomputer.com/news/security/raccoon-stealer-is-back-with-a-new-version-to-steal-your-passwords/
S2W Talon. (16th June 2022). Raccoon Stealer is back with a new version. Retrieved from S2W. https://medium.com/s2wblog/raccoon-stealer-is-back-with-a-new-version-5f436e04b20d