Raccoon Stealer

Raccoon Stealer is a info stealer malware that has been around since at least 2019. It’s a malware as a service (MaaS) so cybercriminals can buy and deploy it to steal sensitive data like passwords, cookies and cryptocurrency wallet info from infected systems.

Key Insights

Originally written in C++, Raccoon Stealer was rewritten in C for version 2.0. This updated the malware and added new features like stealing autofill data from browsers and support for stealing from multiple cryptocurrency wallets.

Distribution

The malware is spread through phishing campaigns, malicious ads and bundled with cracked software. Once executed it connects to its command-and-control (C2) servers to receive configuration and upload stolen data. Dynamic library loading and string encryption helps it to evade detection by security solutions.

Resurgence and Impact

After a brief hiatus in 2022 due to the loss of a lead developer, Raccoon Stealer came back with its 2.0 version. The malware is back and so are its operators. The return of the malware is a reminder of the threat it poses to individuals and organizations, especially those in finance and e-commerce.

Known Variants

Raccoon Stealer has been active in two versions: the original one from 2019 to March 2022 and the revised one, Raccoon Stealer v2, which came back in June 2022.

Mitigation Strategies

Filter emails to prevent phishing.
Update and patch all software.
Use antivirus and anti-malware with real-time protection.
Educate users about safe browsing and cracked software.

Targeted Industries or Sectors

The malware targets financial services, e-commerce platforms and individual cryptocurrency users to steal credentials and financial information for financial gain.

Associated Threat Actors

Raccoon Stealer is a malware as a service so various cybercriminal groups and individual actors can use it for their malicious activities. No specific threat actor names are publicly known.