Raccoon Stealer Campaign Highlights Robust Industrialized Criminal Market

istock 1047163322

Experienced security leaders know that criminals are constantly evolving and changing their tactics to stay one step ahead of defense mechanisms. New “upgrades” to Raccoon Stealer, a widely-used information stealing malware, is a perfect example of this.

Sophos Senior Threat Researcher Sean Gallagher and his team have been tracking a new campaign with Raccoon Stealer at the center. Victims in the current campaign are getting hit with the malware via droppers disguised as installers for pirated software, instead of the usual spam emails, which were an earlier conduit of Raccoon Stealer.

And while Raccoon was previously known for collecting passwords, cookies, and the “autofill” text for websites, including credit card data and other personal identifying information, it can now target cryptocurrency wallets, and can retrieve or drop files on infected systems.

“It carries a program we call a clipper,” says Gallagher. “It looks for transactions that involve cryptocurrency and modifies the victim’s system clipboard during transactions and changes the destination wallet.”

An Easy Entry into Cybercrime

The malware is not just indicative of evolving tricks, but how industrialized criminal activity has become, says Gallagher.

“This is sold as a service. It is created by a core team that develops the code and the firmware and web servers behind it. People rent and get access with a key created just for them.”

Purchased inexpensively on the Dark Web, Gallagher says there is little overhead to get into the malware business using Raccoon. And it’s as efficient as any legitimate business model.

“Users can log in to the web site like you would with any and track where malware has landed and collect the credentials. It’s always under development, with new features and bug fixes shipping regularly. It’s evolving just like every other as a service business online.”

This efficiency and ease of entry means it now takes very little skill to be a cybercriminal, says Gallagher. There’s no need to perfect hacking skills. Just find someone in the business of delivering malware and play a flat rate for installs, he says.

It is often those who go looking for pirated or cracked software that end up becoming infected by Raccoon. It targets older computers and software and uses SEO techniques to turn up high in search results when users go looking for pirated software they can download for free.

Most malware protection software will protect you from Raccoon, but Gallagher warns that in an era of widespread work from home, where families often share work devices, those using devices to access corporate assets need to be vigilant.

“Don’t search for things that you shouldn’t have running on the machine you are using for work. And don’t allow others in your family to do it. It’s important that companies ensure employees use devices that have protection on them. Or segment off accounts.”

Learn more about the Sophos research on Raccoon Stealer at Sophos.com


Copyright © 2021 IDG Communications, Inc.