'Raccoon Stealer' Scurries Back on the Scene After Hiatus

Researchers this week said they had observed criminals using a new and improved version of the prolific malware, barely three months after its authors announced they were quitting.

The authors of "Raccoon Stealer," one of the most prolific information stealers of 2021, have released a new and improved version of the malware just three months after shutting down operations following the death of its lead developer in Ukraine.

Researchers from French cybersecurity vendor Sekoia this week reported stumbling upon active servers hosting Raccoon Stealer files while searching for signs of the malware earlier this month. Sekoia's subsequent investigation showed the authors of the malware had been selling the new version via their Telegram channel since at least May 17.

Sekoia said its analysis showed the authors of Raccoon Stealer have rewritten the malware and administrative panel for it, from scratch. The focus of the effort appears to have been on improving the stealer’s performance and efficiency. At its core, the new Raccoon Stealer remains a classic information stealer, with an extra focus on cryptocurrency wallets. It is designed to steal passwords, cookies, credit card data, and autofill forms from most modern browsers. The malware can steal from a wide range of desktop crypto wallets including Electrum, Exodus, MetaMask, and Coinomi.

New and Improved

Sekoia found Raccoon Stealer V2 to also feature capabilities — such as a file grabber for all disks and a built-in file downloader — for exfiltrating files for compromised systems and loading other software on the systems. Additional capabilities include screenshot capturing, keystroke logging, and application enumeration. "It's worth noting that the malware implements almost no defense evasion techniques, such as anti-analysis [or] obfuscation,” Sekoia said in a report summarizing its analysis this week. However, expect the malware authors to add those capabilities soon, the security vendor said.

Several security researchers had fully expected Raccoon Stealer to resurface when its developers announced they were stopping operations on March 25. The malware, which first surfaced in 2019, is widely regarded as one of the most effective information stealers in recent memory. Racoon Stealer's developers initially distributed it via a malware-as-a-service model that allowed other criminals to rent and use the stealer for a portion of the profits.

Over time, criminals began distributing it in other ways as well, including by planting it on websites selling pirated software. Last August, researchers from Sophos reported criminals dropping the malware from sites that were optimized to surface high on Google search engine results when people searched for sources of pirated software. In that campaign, Sophos concluded the criminals distributing Raccoon Stealer were likely using "droppers-as-a-service" to distribute the malware. Sophos researchers also observed attackers using a Telegram channel to deliver the address of the command-and-control gateway to systems infected with Raccoon Stealer. The security vendor surmised that Raccoon Stealer attackers had begun using the Telegram channel to make it harder to locate the malware's command and control infrastructure.

Resurfacing on Cue

In January 2022, Bitdefender's Cyber Threat Intelligence Lab observed the operators of the widely used RIG Exploit Kit include Raccoon Stealer in their kit. However, when Raccoon Stealer's developers announced they were quitting, the authors of RIG quickly swapped out the malware for the older but still popular Dridex banking Trojan. Recently, criminals have also used fake installers for legitimate software — such as VPNs from F-Secure and Proton — to distribute Raccoon Stealer.

In a report last week, Bitdefender predicted that Raccoon Locker would return despite the setback that pushed the developers to ceasing operations in March. It's an assessment that Sekoia shared this week. "We expect a resurgence of Raccoon Stealer v2 as developers implemented a version tailored to the needs of cybercriminals and scaled their backbone servers to handle large loads," Sekoia said.