Fraud Management & Cybercrime , Malware as-a-Service

'Raccoon' Infostealer Now Targeting 60 Apps: Report

Malware-As-A-Service Offering Is Popular on Underground Forums, Researchers Say
'Raccoon' Infostealer Now Targeting 60 Apps: Report

The operators behind the "Raccoon" infostealer Trojan have added new capabilities to this malware-as-service offering, which now has the ability to steal data from over 60 applications, according to researchers at the security firm CyberArk.

See Also: Mitigating Identity Risks, Lateral Movement and Privilege Escalation

Cybercriminals are using the malware to target login credentials, credit card information, cryptocurrency wallets and browser information, according to the researchers’ report.

Raccoon, first spotted for sale in Russian underground forums in April 2019, rents for $75 per week or $200 per month, according to the report.

While an earlier report from security firm Cybereason found that Raccoon enabled credential stealing from Tor-hosted devices, the new analysis by CyberArk shows that the infostealer has now expanded its reach into popular web browsers, including Google Chrome, Mozilla Firefox, Microsoft Edge and others.

In addition, Raccoon now allows cybercriminals to exfiltrate data from a wide range of cryptocurrency wallets, including Electrum, Ethereum, Exodus, Jaxx and Monero, the researchers say. And the infostealer can now target a number of e-mail clients, such as Thunderbird, Outlook and Foxmail.

Attackers using Raccoon are looking to steal privileged credentials so they can achieve privilege escalation and lateral movement, according to the CyberArk researchers. "What used to be reserved for more sophisticated attackers is now possible even for novice players who can buy stealers like Raccoon and use them to get their hands on an organization’s sensitive data," the report states.

Additional Capabilities

The analysis by the CyberArk researchers finds that Raccoon remains a fairly unsophisticated malware-as-a-service offering, but as its operators continue to develop it, it is becoming more capable of performing a wider range of malicious functions.

In addition to stealing data from browsers and cryptocurrency wallets, Racoon can collect information from a targeted device, such as the version of the operating system running, system language, hardware information and lists of installed applications, the report notes.

Website advertising Raccoon malware-as-a-service (Source: CyberArk)

Cybercriminals can also configure Raccoon to take screenshots of a targeted device and then use the malware as a dropper to deploy second-stage malware, the report adds.

Because Raccoon is easy to use, it enables less sophisticated cybercriminals to leverage it for various criminal schemes, according to CyberArk.

"What used to be reserved for more sophisticated attackers is now possible even for novice players who can buy stealers like Raccoon and use them to get their hands on an organization’s sensitive data," the report notes. "And this goes beyond usernames and passwords to information that can get them immediate financial gain, like credit card information and cryptocurrency wallets."

The Cybereason analysis notes that Raccoon has already infected "hundreds of thousands" of devices. Another report by Recorded Future finds that Raccoon remains one of the top selling malware rentals within underground forums.


About the Author

Akshaya Asokan

Akshaya Asokan

Senior Correspondent, ISMG

Asokan is a U.K.-based senior correspondent for Information Security Media Group's global news desk. She previously worked with IDG and other publications, reporting on developments in technology, minority rights and education.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.com, you agree to our use of cookies.