Racoon malware, Legion, Mohazo, and Racealer,
The malware is cheap compared to similar threats, it is able to steal sensitive data from about 60 applications, including (browsers, cryptocurrency wallets, email and FTP clients).
The Raccoon stealer was first spotted in April 2019, it was designed to steal victims’ credit card data, email credentials,
Raccoon is offered for sale as a malware-as-a-service (MaaS) that implements an easy-to-use automated backend panel, operators also offer bulletproof hosting and 24/7 customer support in both Russian and English. The price of the Raccoon service is $200 per month to use.
The Raccoon stealer is written in C++ by Russian-speaking developers that initially promoted it exclusively on Russian-speaking hacking forums. The malware is now promoted on English-speeaking hacking forums, it works on both 32-bit and 64-bit operating systems.
The analysis of the logs for sale in the underground community allowed the experts to estimate that Raccoon infected over 100,000 users worldwide at the time of its discovery.
The list of targeted applications
According to a report published by security firm CyberArk, Raccoon is mostly delivered through Exploit Kits and Phishing Campaigns.
The malware is also able to collect system details (OS version and architecture, language, hardware info, enumerate installed apps).
Attackers can customize its Raccoon instance to capture snapshots or to deliver additional malicious payloads.
“Like most of the credential stealers, the client (i.e.
“In Raccoon, after the client chooses the configuration, the malware builder generates a configuration ID for the client’s configuration and writes this ID to the compiled malware.”
Experts also discovered that attackers leverage the malware for lateral movements once compromised a system on the target network.
Researchers pointed out that the malware is under continuous development, its authors are actively improving it by addressing multiple issues and implementing new
“the Raccoon team members have improved the stealer and released new versions for the build, including the apability to steal FTP server credentials from FileZilla application and login credentials from a Chinese UC Browser.” continues the analysis. “In addition, the attacker panel has been improved, some UI issues were fixed and the authors added an option to encrypt the builds right from the panel and downloaded it as a DLL.”
Even if the malware is very simple it is considered very efficient and its low price makes it easy to rent.
“What used to be reserved for more sophisticated attackers is now possible even for novice players who can buy stealers like Raccoon and use them to get their hands on an organization’s sensitive data. And this goes beyond usernames and passwords to information that can get them immediate financial gain like credit card information and
“Even though Raccoon is not the most sophisticated tool available, it is still very popular among
Additional technical details about the malware