Raccoon Stealer returns with a new bag of tricks

Christopher Boyd

Christopher Boyd

The popular malware Raccoon stealer, which suspended operations after a developer allegedly died in the Ukraine invasion, has returned.

Raccoon stealer is malware as a service, with the developers selling it to would-be users. The operation is a tightly-run ship, to the extent that customers have digital signatures tied to their executables. If files end up on malware scanning services, the malware authors know exactly who the leak has come from.

So much data, so little time

The popular tool, used for data theft, is ubiquitous where stealing credentials is concerned. Cryptocurrency wallets, cookies, passwords, browser autofill data, and credit card data: pretty much anything is up for grabs.

Since 2019, Raccoon stealer has been lifting data from the unwary. Cheap to purchase and packing a large range of features, it is able to steal from as many as 60 different applications including:

Email: Outlook, Thunderbird, Thunderbird
Browsers: Firefox, Chrome, Microsoft Edge, Internet Explorer, Vivaldi, SeaMonkey, Vivaldi
Cryptocurrency apps: Exodus, Monero, Electrum, Jaxx

Raccoon’s two most popular delivery methods are phishing campaigns (the tried and tested malicious Word document/Macro combination) and exploit kits. Once data is located on the target system, it is eventually placed into a .zip file and sent to the malware Command and Control (C&C) server.

Its operators are constantly innovating, for example making use of Telegram to operate C&C. This is one malware project which wasn’t going to stay gone for long.

An all new raccoon rampage

The new version, Raccoon Stealer 2.0, was claimed as being sold on Telegram and in circulation since May 17. However, these claims related to Telegram have since been shown to be fake.

While functionality appears to be mostly similar to the original version, there are some notable differences. The creators claim to have improved the software and resurrected their malware antics to “honour” the legacy of the teammate who died:

After our teammate loss we made a decision that we can not leave our project and we will continue our work in his honour. Raccoon Stealer 2.0 was totally coded from the very beginning. New back-end, new front-end, absolutely new stealer software.

Smash and grab

Credit card data, autofill, browser passwords, and a big slice of cryptocurrency wallets are once more targets for Raccoon Stealer. The big change up seems to be related to how data is exfiltrated. This new version doesn’t appear to be particularly stealthy.

The name of the game in data exfiltration is to make as few moves as possible to help evade detection. Sneaky malware will collect data as it goes, before eventually sending the whole lot in a zip in one go. If an infection is constantly pinging away, the chances of it being caught by security tools increases dramatically.

Here, Racoon Stealer seems to be throwing a little caution to the wind. The stealer sends data every single time it adds to its exfiltrated data collection. Researchers note that Raccoon Stealer 2.0 possesses no obfuscation or anti-analysis techniques.

I’d love to know if some sort of data driven analysis led developers to the conclusion that smash and grab is ultimately more suited to their business model than waiting it out. Ultimately, this may be the one bright note for embattled IT admins in the wake of everyone’s least favourite raccoon’s re-emergence onto the malware scene.