Info-stealing malware ‘Raccoon’ can extract data from 60 applications

Malware is always known to create instability in user’s computer, but not all malware are designed that way. Info-stealing malware can be sneaky to fetch the sensitive data, extract the same and erase the traces of their presence. One such popular Info-stealing malware is the ‘Raccoon’ which was first identified in April 2019, and since then has been upgraded continuously to evade the computer’s security. Raccoon malware is now found extracting sensitive data from 60 applications in a infected computer. 

Raccoon malware is popular among the dark web and cyber criminal forums as it is affordable, with decent capabilities and generous features. It is sold as Malware-as-a-Service and has been the top of MaaS offerings for a while in the cyber criminal market.

Evolution of Raccoon

Raccoon is deployed using Phishing, Exploit kits and PUA (Potentially Unwanted Applications). This malware was first known as Mohazo, Legion, Racealer and was found in Russian forums. However, now it has spread to English forums and is gaining traction. This MaaS model is provided for $75 USD per week and $200 USD per month. Once attackers purchase the malware they will have access to malware’s admin panel allowing them to customize Raccoon, and weaponize it as per their goal. Even a non-technical person will be able to deploy the malware successfully thanks to the ease of customization.

It is written in C++ and if comparatively less complex than the other MaaS offerings. Raccoon is capable of extracting data from browsers, cryptocurrency apps, wallets, email clients and more. Browsers include Chrome, Firefox, Edge, IE, Opera, SeaMonkey, UC Browser, Vivaldi, and Waterfox. Whule cryptocurrency apps like Electrum, Ethereum, Exodous, Monero and Jaxx are also vulnerable. Outlook, Thunderbird and Foxmail are the email clients from which Raccoon can extract sensitive data.

Capabilities of Raccoon

Raccoon locates the targeted sensitive data, copies the file or the folder, extracts the data into a zip file called Log.zip inside the temp, and then applies decryption routines to convert the same into a simple text file for exfiltration. Apart from the data extraction, Raccoon can also collect information about OS versions, hardware, software and other third party apps. It can also take screenshots of the infected systems, and can be used as a level one attack by dropping other malicious programs into the system.

According to the Recorded Future Report, ‘Raccoon’ is one of the best-selling malware in the underground economy. Though it isn’t a very complex program, it can infect systems, collect information at a very low price which has made it the popular MaaS among cyber criminals. It has now infected thousands of devices across the world. Even a rookie can use this malware to exfiltrate information from a targeted computer or network.

How to detect this Info-stealing malware?

Users are requested to employ indicators of compromise (IoC), YARA rule or anti-virus software with updated signatures would help detect it. Users can also employ endpoint detection and response strategies to combat threats like Raccoon. Few days back we did write about Ginp trojan that targets Android devices and disguises legitimate banking apps. Malware are evolving everyday, and especially MaaS are always increasing in numbers, double up security and stay vigilant.

Subscribe to ‘The Cybersecurity Times’, for daily alerts on cyber events. You can also follow us on Facebook, Linkedin, Instagram, Twitter and Reddit.