Raccoon Stealer disguised as pirated software grabs cryptocurrencies, passwords, and cookies while dropping malicious content on targeted systems, Sophos found. It is being sold as a service for as cheap as $75.
Researchers from cybersecurity company Sophos tracked information-stealing malware, dubbed Raccoon Stealer, or trash panda as raccoons are often called that. Raccoon Stealer is not a standalone service, and its operators rent it as a service. Its developers have been marketing the malware amongst criminals for at least two years.
“With much of daily and professional life now reliant on services delivered through a web browser, the operators behind information-stealing malware are increasingly targeting stored web credentials that provide access to a lot more than they could get by just stealing stored password hashes,” Sean Gallagher, a senior threat researcher at Sophos, said in a press release.
Usually, Raccoon Stealer is distributed through spam email, but researchers also found that it is spread through droppers that malware operators disguised as cracked software installers. These droppers bundle Raccoon Stealer with additional attack tools, including malicious browser extensions, YouTube click-fraud bots, and Djvu/Stop, ransomware targeted primarily at home users.
“The actors behind the campaign also used search engine optimization to raise the chances that people looking for a particular software package would visit the malicious sites. Search for “[software product name] crack” on Google returns links to websites that purport to provide downloads of software with license requirements bypassed,” the research showed.
Raccoon Stealer grabs passwords, cookies, and the autofill text for websites, including credit card data and other personally identifiable information that the browser might store. Cybercriminals rent the malware for only $75 a week and can easily monetize the data they manage to steal.
“Thanks to a recent ‘clipper’ update that changes the clipboard or destination information for a cryptocurrency transaction, Raccoon Stealer also now targets crypto-wallets, and it can retrieve or load files – such as additional malware – on infected systems,” Gallagher said.
It is different from ransomware or any other more sophisticated criminal malware operations. There’s no vetting of buyers - they can be purchased by anyone, regardless of their reputation in the criminal underworld.
“Services such as Raccoon permit nascent cybercriminals to establish a reputation that would let them subscribe to, or purchase, more advanced malware from more exclusive vendors,” Sophos research shows.
According to the researchers, the operators behind the Raccoon Stealer also used the Telegram chat service for the first time for command-and-control communications. According to Gallagher, information stealers fill an important niche in the cybercrime ecosystem - they offer a quick return on investment and represent an easy and cheap entry point for more significant attacks.
“Cybercriminals often sell stolen identity credentials on ‘dark’ marketplaces, allowing other attackers, including ransomware operators or Initial Access Brokers, to take advantage of them for their criminal intentions – such as breaking into a corporate network through a workplace chat service. Or attackers can use credentials for further attacks targeting other users on the same platform. There is a constant demand for stolen user credentials – especially credentials providing access to legitimate services that attackers can use to host or spread more malware easily. Information stealers may look like lower-level threats, but they’re not,” Gallagher said.
According to the researchers, Raccoon Stealer developers keep tight control over who’s got access to their malware. They host access to any bots that their customers deploy through a Tor-based web panel. Each executable of their malware has a signature tied to the customer—so that if a sample of their malware shows up on VirusTotal or other malware sites, they can trace it back to the customer who may have leaked it.
More from CyberNews:
Subscribe to our newsletter