Researchers from CyberArk have discovered an infostealing malware that is relatively new on cybercriminal forums that can extract sensitive data from about 60 applications on a targeted computer. The operators behind the “Raccoon” infostealer Trojan have added new capabilities to this malware-as-service offering after being observed in the wild for the first time almost a year ago.
An infostealer is a type of malware that focuses on gathering sensitive and conditional information from the compromised system. While this information is often related to the user’s credentials, they also search out financial and personal information.
While infostealers often target high value information, they generally aren’t sophisticated and are usually sold on hacking forums for anywhere from a few dollars to a couple of hundred dollars.
Raccoon is cheap compared to similar threats. The malware, first spotted for sale in Russian underground forums in April 2019, rents for $75 per week or $200 per month, according to the report.
Most infostealers in the wild use the same techniques for stealing data; however, the contrast in price could be due either to the length of the subscription and/or the robustness of their features.
The list for targeted applications include:
- Browsers including Google Chrome, Mozilla Firefox, Microsoft Edge, Internet Explorer, Opera, Vivaldi, Waterfox, SeaMonkey, UC Browser are on the list of targets along with more than 20 other solutions, which are robbed of cookies, history, and autofill information.
- Hot cryptocurrency apps like Electrum, Ethereum, Exodus, Jaxx, and Monero, are of interest, searching for their wallet files in the default locations. However, Raccoon also can scan the system to grab wallet.dat files regardless of where they are stored.
Raccoon is sold as Malware-As-A-Service (MaaS) which allows malware authors to provide a fully working package to cybercriminals and also includes access to a technical support team and updates for the malware (bug fixes and new features). The package typically includes a login to an administrative panel where the attacker can customize the malware functionality, view all the stolen credentials/logs and download builds of the malware. This model allows cybercriminals to get easy access to the stealer and operate in a maintenance-free environment.
The Raccoon stealer is written in C++ by Russian-speaking developers that initially promoted it exclusively on Russian-speaking hacking forums. The malware is now promoted on English-speaking hacking forums, it works on both 32-bit and 64-bit operating systems.
Attackers use Raccoon to steal privileged credentials so they can achieve privilege escalation and lateral movement, according to the CyberArk researchers. “What used to be reserved for more sophisticated attackers is now possible even for novice players who can buy stealers like Raccoon and use them to get their hands on an organization’s sensitive data,” the report states.
The malware is also able to collect system details (OS version and architecture, language, hardware info, enumerate installed apps). furthermore, an attacker can customize its Raccoon instance to capture snapshots or deliver additional malicious payloads.
The Cybereason analysis notes that Raccoon has already infected hundreds of thousands of devices and is under continuous development.