A new Raccoon Stealer campaign underscores the evolution of this information-stealer, which has recently been distributed through a dropper campaign to steal cryptocurrencies, cookies, and other types of information on target machines.

Sophos researchers have been tracking a "particularly active" campaign by attackers using Raccoon Stealer, a widely used information stealer. While the campaign is no longer active, as its infrastructure is no longer reachable, researchers say similar campaigns are still ongoing and have published their findings to inform security practitioners of this constantly evolving threat.

Raccoon Stealer has been in use for at least two years; developers run it as a service for other criminals to buy and distribute. It's controlled from a Tor-based command-and-control "panel" server and is regularly updated with new features and bug fixes. Sophos notes that it's sold on boards mostly in Russian; however, it also runs English ads and offers English-language support.

The stealer is designed to take passwords, cookies, and the autofill text for websites, including credit card information and other personal data that may be stored in the browser. After a new "clipper" update, Raccoon Stealer also targets cryptocurrency wallets and retrieve or drop files onto target systems.

Info stealers are normally spread in one of two ways: One is via spam email, as the payload of a malicious dropper or as a compressed executable; the other is through a malicious website or sharing service. Most recent samples of Raccoon Stealer are spread through a single dropper campaign that leverages malicious websites promising access to pirated software.

These malicious sites linked to this campaign were search-engine optimized to be high in the search results, in Google and other search engines, when people searched for pirated software. These sites advertised "cracked" legitimate software packages but the files were actually droppers in disguise. When someone clicked a link to download, they were led to one of many download locations. Each delivered a different version of the dropper, researchers explain.

The dropper is in a zipped folder, inside of which is another zipped folder containing a file with the password meant to unlock the cracked software. Droppers in this campaign carried other malware, indicating these are most likely "droppers as a service" and not directly tied to the attacker using Raccoon Stealer. Operators randomize the destination a victim must access to get to the download, so one could access the same site many times and get different packages.

"Raccoon Stealer is just one of the things we saw being dropped by this campaign," says Sean Gallagher, senior threat researcher at Sophos Labs. "There were a bunch of other information stealers, some ransomware, and also miners and clippers – malware that steals things out of clipboards, especially if they match cryptocoin wallet numbers and things like that."

In a new twist for this campaign, the Raccoon Stealer developers added their own clipper as a secondary package that can be downloaded. Criminals can sign up for Raccoon Stealer, pay a fee, get access to its Tor-based panel, and select which secondary payloads they want dropped.

The developers also assign a customer ID to each buyer so each executable of the malware has a signature tied to the customer. This way, if the malware appears on VirusTotal, they can trace it back to the person who may have leaked it.

A Constantly Evolving Threat
New to this campaign was the attackers' strange use of Telegram, which they used to deliver the address of a command-and-control gateway, Gallagher notes.

The malware loader calls back to a Telegram channel, and in that channel is a description that contains information on how to reach the gateway they use to connect to the back-end server. It's not using the Telegram chat, but the description of the chat channel, to convey information.

"That could be changed frequently," Gallagher says. "If you're doing forensics on the contents of the chat channel, there are no messages there to track. It's all going on in the changes to the name of the channel itself."

Researchers have seen attackers do this sort of thing, in using the metadata associated with different services as a command-and-control channel before. However, Gallagher points out that the technique is growing more prevalent. Sophos researchers have previously reported on attackers using Discord channel to host, spread, and control malware targeting users.

In this case, he says it indicates the developers behind Raccoon Stealer are seeking new ways to update their malware. This campaign netted the attackers some $15,000 in cryptocurrency mined or stolen in a six-month period, and the money is reinvested in developing new tactics.

"It's been in active development for a while, and every time it gets broken they learn something new," he adds.

Info Stealers: Easy for Criminals, Tough for Defenders
Information stealers like this one fill an important role in the cybercrime ecosystem, Sophos researchers note in a blog post on their findings. They allow attackers to gather the extent of personal information that enables identity theft, including the saved credentials and browser cookies that facilitate access to Web-based resources. These credentials are often sold online.

They also make it simple for low-level cybercriminals to target individuals and organizations. An entry-level seven-day subscription to Raccoon Stealer costs only $75, researchers report, and the developers don't vet buyers before selling the malware. Novice criminals can easily find a buyer for their stolen data and invest the funds in other illicit activity.

"We frequently see information stealers like this are a gateway to other bad things happening," Gallagher says. "Those credentials that get stolen … they get sold on a criminal marketplace and they're used for other crime."

That makes Raccoon Stealer and similar threats a top concern for enterprises. Because it can steal cookies that enable access to corporate resources like email and other cloud applications, the malware could get hold of sessions that expose corporate data. It could also potentially lead to business email compromise or ransomware, if an affiliate buys access to a company network.

"Because we've become so dependent on Web-based services, this whole cookie-stealing thing has become a much more critical part of enterprise security," Gallagher adds. Over the past 18 months, as more people began to work from home, there has been an increasing amount of exposure to this type of threat because the dependency on Web services has grown.