‘Raccoon Stealer’ Now Comes With a Crypto-Transaction Grabber and a Malware Dropper

  • ‘Raccoon Stealer’, one of the most popular MaaS platforms now gives clients the ability to drop additional malware.
  • Most notably, actors can now steal cryptocurrency transactions and also drop miners onto the victim’s machine.
  • In typical deployment cases, the return from using Raccoon is nine times its renting cost.

The authors of ‘Raccoon Stealer’ malware-as-a-service (MaaS) have upgraded their tool with the capability to steal crypto-currency transactions from the infected machine, as well as a new dropper that can fetch additional malware payloads. Raccoon Stealer is sold as a commodity malware to anyone interested for $75 to $200 per month and has risen in popularity since last year. Researchers at Sophos have recently noticed a new version circulating in the wild, which has re-sparked the interest of cybercriminals in the particular malware platform.

Raccoon can currently collect user passwords, browser cookies, the “autofill” text entered on website forms, and anything that comes through, such as credit card details, or names, or email addresses. And now, cryptocurrency wallets and transactions are also being targeted, thanks to a new clipper component. In the latest minor release (v1.7.4), the author fixed log-collection issues and made the exfiltration less problematic in general.

Source: Sophos

The developers of Raccoon assign a different signature on each executable of the malware they rent to customers, so if someone leaks it anywhere, they can trace back the culprit client and ban them. These tools are used by huge numbers of low-grade hackers as they are relatively cheap and pretty effective in what they can do. Also, they are generally deployed in low-risk operations, and most cybercriminals prefer these as they come with fewer chances of finding trouble with law enforcement.

Source: Sophos

The most common way of distribution is via spam email that comes with a laced document. The second most popular way of spreading Raccoon is through websites that supposedly offer a torrent to download pirated software. The sites used for these campaigns are SEO-optimized so that Google Search includes them on the first page of the results.

Source: Sophos

Downloading anything from these websites gets you a password-protected folder with a self-extracting installer, usually a 7zip or WinZip file. By using the new malware dropper function, the actors now fetch the following in addition to the Raccoon Stealer:

  • crypto-miners
  • “clippers” (malware that steals cryptocurrencies by modifying the victim’s system clipboard during transactions and changing the destination wallet)
  • malicious browser extensions
  • YouTube click-fraud bots
  • Djvu/Stop (a ransomware targeted primarily at home users)

Another new element in the recent Raccoon iteration is the use of Telegram channels for the communication between the stealer and the C2 gateway. The connection is encrypted for obfuscation and detection avoidance.

Source: Sophos

Sophos analyzed some BTC wallet addresses used in the spotted campaign as the deposit points for the stolen crypto and found a total of $14,200 in them. It is estimated that through the deployment of crypto-miners that run on the victims’ systems, the same actors made another $2,900 over a six-month period. The cost for renting Raccoon for six months is $1,200 max, so the actors made at least $16k, or $2,650 per month.

Latest
How to Watch She-Hulk: Attorney at Law Online on Disney Plus
The Marvel series string continues with yet another superhero, and you will be able to stream the episodes online quite easily, just...
How to Watch ’60 Days In’ Season 7 Online From Anywhere
A new season of 60 Days In is coming in soon on A&E, so we're excited to see what will happen in...
How to Watch Selena + Chef Season 4 Online From Anywhere
Our favorite cooking show starring pop star Selena Gomez is back for a brand new season, and we're excited to stream all...
For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: Chrome, Edge, Firefox, Safari
[class^="wpforms-"]
[class^="wpforms-"]
[class^="wpforms-"]
[class^="wpforms-"]