Here's Why 'Raccoon' Infostealer Is Popular With CriminalsCheap and Simple 'Malware as a Service' Sold in Cybercriminal Underground
The "Raccoon" infostealer, first spotted in the wild earlier this year, is rapidly gaining in popularity on underground forums due to its low cost and ability to steal a wide range of data, including credit card numbers and cryptocurrency wallets, according to a new analysis from Cybereason.
See Also: Top 50 Security Threats
What Raccoon lacks in sophistication it makes up for in ease of use, according to Cybereason. Developed on a malware-as-a-service model, cybercriminals only need access to a Tor-hosted control panel to initiate attacks using Raccoon against whatever target they pick, according to the analysis.
The infostealer sells for $175 to $200, and it’s typically delivered through the Fallout or RIG exploit kits, says Assaf Dahan, senior director and head of threat research at Cybereason.
Cybercriminals have also used phishing emails with malicious Office documents that hide macros to deliver and install Raccoon on different devices. Or, they’ve bundled Raccoon with legitimate software, researchers say.
Demand for New Tools
"There is a big market and even bigger demand in the underground communities for new malware and new tools," Dahan tells Information Security Media Group.
"When it's bundled with good service, an 'easy to use' interface and a reasonable price, it draws the attention of a wide range of clientele. The malware-as-a-service model is quite appealing for cybercriminals who don't necessarily possess the technical skills to operate such infrastructure. Once the hassle of creating and maintaining such infrastructure is taken care of by the MaaS provider, it draws more customers."
International law enforcement has also taken notice of this trend. In March, Stephen Wilson, the head of the European Cybercrime Center, noted during a conference that cybercriminals are increasingly turning to these methods to monetize their efforts and cash out quickly (see: How Cybercriminals Continue to Innovate).
Recent reports by security firms Flashpoint and Armor also point to a thriving criminal underground where malware, as well as other tools, are bought and sold (see: Cybercrime Tool Prices Continue to Rise on Darknet Sites).
Raccoon, which first appeared in the wild in April, appears to have originated within Russian underground forums for cybercriminals, according to the Cybereason analysis.
At first, security researchers classified it as a password stealer, but it quickly acquired many other attributes and is proficient in stealing credit card and banking data, cryptocurrency wallets, emails, data from browsers, cookies and system information, according to Cybereason. It also takes screenshots, researchers say.
Raccoon quickly spread to English-language forums. Its creators aggressively marketed its capabilities to cybercriminals and offered services, such as bullet-proof hosting and 24-hour support, Dahan says.
The Cybereason researchers also came across testimonials, usually written in Russian, touting the abilities of Raccoon. This helped Raccoon spread across the world within a few months, with Cybereason tracking attacks in North America, Europe and Asia.
A July report from Recorded Future, a threat intelligence specialist, noted spikes in Raccoon activity, along with a keylogger called Hawkeye and several newly released remote access Trojans believed to have been developed by Chinese hackers.
"We have seen targets from practically all regions of the world," Dahan says of Raccoon. "Since the majority of these attacks is of an opportunistic 'spray-and-pray' nature, we see [Raccoon] hit individuals and organizations indiscriminately."
How It Works
Raccoon is built on C++ programming language and targets both 32- and 64-bit versions of Microsoft Windows, according to Cybereason. The researchers suspect the malware had infected "hundreds of thousands" of devices as of April.
Once Raccoon is installed on an infected Windows device, it connects to a command-and-control server and begins to check location data, the researchers note.
When the malware detects local settings, it compares that data against a list of languages, including Russian, Ukrainian, Belarussian, Kazakh, Kyrgyz, Armenian, Tajik and Uzbek. If the victim's device settings match one of these languages, the malware immediately aborts, the researchers say. This is one of several details that led Cybereason to tie this malware to the Russian criminal underground.
And while the Raccoon code is not sophisticated, Cybereason notes that it can steal a lot of information in a short time. Researcher says that in most cases, cybercriminals are then reselling this data on darknet sites.
This lack of sophistication also means that Raccoon, for now, is fairly easy to detect, and if software is up to date and patched, the malware can be blocked. "Most anti-virus companies seem to be able to detect it as malicious," Dahan says.