'Raccoon Stealer' Scurries Back on the Scene After Hiatus

The authors of “Raccoon Stealer,” one of the most prolific information-stealers of 2021, have released a new and improved version of the malware just three months after shutting down operations following the death of its lead developer in Ukraine.

Researchers from French cybersecurity vendor Sekoia this week reported stumbling upon active servers hosting Raccoon Stealer files while searching for signs of the malware earlier this month. Sekoia’s subsequent investigation showed that the authors of the malware had begun selling the new version via their Telegram channel starting at least May 17.

Sekoia said its analysis showed that the malware and administrative panel for it have been rewritten from scratch; the focus of the effort appears to have been on improving the stealer’s performance and efficiency. 

At its core, the new Raccoon Stealer remains a classic information-stealer, now with an extra focus on cryptocurrency wallets. It is designed to steal passwords, cookies, credit-card data and autofill forms from most modern browsers. The malware can also steal from a wide range of desktop crypto wallets including Electrum, Exodus, MetaMask and Coinomi.

Scavenging More Than Just Credentials

Sekoia found Raccoon Stealer 2.0 to also feature capabilities for exfiltrating files for compromised systems and loading other software on the systems. These include  a file grabber for all disks and a built-in file downloader.

Additional capabilities include screenshot capturing, key-stroke logging and application enumeration. 

“It’s worth noting that the malware implements almost no defense-evasion techniques, such as anti-analysis [and] obfuscation,” Sekoia said in a report summarizing its analysis this week. However, expect the malware authors to add those capabilities soon, the security vendor said.

Racoon Remains an Evolving Threat

The malware, which first surfaced in 2019, is widely regarded as one of the most effective information stealers in recent memory. Racoon Stealer’s developers initially distributed it via a malware-as-a-service (MaaS) model that allowed other criminals to rent and use the stealer for a portion of the profits.

Over time, cybercriminals have used a number of ways to get the threat onto victims' machines, including by planting it on websites selling pirated software. Last August, researchers from Sophos reported criminals dropping the malware from sites that were optimized to surface high on Google search engine results when people searched for sources of pirated software. 

In that campaign, Sophos concluded the criminals distributing Raccoon Stealer were likely using “droppers-as-a-service” to distribute the malware. Sophos researchers also observed attackers using a Telegram channel to deliver the address of the command-and-control gateway to infected systems. 

The security vendor also surmised that Raccoon Stealer attackers had begun using the Telegram channel to make it harder to locate the malware’s command and control infrastructure.

Recently, criminals have also used fake installers for legitimate software—such as VPNs from F-Secure and Proton—to distribute Raccoon Stealer.

Resurfacing on Cue

Several security researchers had fully expected Raccoon Stealer to resurface when its developers announced they were stopping operations on March 25.

In January, Bitdefender’s Cyber Threat Intelligence Lab observed the operators of the widely used RIG exploit kit include Raccoon Stealer in their kit. However, when Raccoon Stealer’s developers announced they were quitting, the authors of RIG quickly swapped out the malware for the older but still popular Dridex banking Trojan.

However, in a report on that swap last week, Bitdefender predicted that Raccoon Stealer would return despite the setback which pushed the developers to ceasing operations in March. That's an assessment that Sekoia shared this week. 

“We expect a resurgence of Raccoon Stealer v2 as developers implemented a version tailored to the needs of cybercriminals and scaled their backbone servers to handle large loads,” Sekoia said.