This easy-to-use information-stealing trojan malware is quickly gaining popularity among cyber criminals

Racoon Stealer isn't sophisticated, but it has stolen credit card information, passwords and more from hundreds of thousands of victims, and an aggressive marketing campaign means its popularity is still growing, security researchers warn.
Written by Danny Palmer, Senior Writer

A new kind of easy to use trojan malware is gaining popularity among cyber criminals, providing them with simple means of stealing credit card data, passwords and cryptocurrency -- and it has already infected hundreds of thousands of Windows users around the world.

Raccoon Stealer first appeared in April this year and has quickly risen to become one of the most talked-about malware services in underground forums.

Researchers at Cybereason have been monitoring Raccoon since it first emerged, and note that while not sophisticated, it is aggressively marketed to potential criminal users, providing them with an easy-to-use back end, along with bulletproof hosting and 24/7 support -- all for $200 a month.

SEE: A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic)

That could be considered a high fee compared with other offerings on the dark web, but users are likely to recoup that figure many times over considering the financial and personal data that can be stolen using the malware.

Raccoon's flexible nature allows it to be delivered to victims in a number of ways, but it's most often distributed via exploit kits, phishing and compromised software downloads.

Exploit kits take advantage of vulnerabilities in common software and Raccoon employs the Fallout exploit kit, using it to spawn a PowerShell instance from Internet Explorer and download the malware while the victim is browsing the web.

The phishing attacks use a weaponised Office document to deliver the malware via email, while Raccoon is also known to be delivered in compromised versions of legitimate software downloaded from third-party websites.

After a successful infection, Raccoon begins communicating with a command-and-control server to access the resources required to conduct its malicious activity. At this stage it also gathers the local settings on the target machine -- and if it detects the language is Russian, Ukrainian, Belarusian, Kazakh, Kyrgyz, Armenian, Tajik, or Uzbek, it will terminate its activity.

This, along with analysis of posts by the authors on underground forums, has led researchers to believe that the authors of Raccoon are Russian-speaking and are most likely based in Russia itself. It's common for malware originating from Russia and its surrounding states to avoid targeting Russian users.

Once up and running on a target machine, Raccoon can take screenshots, steal system information, steal information from browsers, including login information and bank details, as well as monitor emails and steal from cryptocurrency wallets.

The code behind Raccoon isn't sophisticated, but the capabilities of the malware combined with its ease-of-use allows attackers to steal large amounts of data from individuals or businesses, which they can either sell on the dark web or exploit to conduct further attacks.

"Raccoon, like other information stealers, poses significant risks to individuals and organizations alike. Any malware that is designed to steal passwords and personal information from browsers and mail clients could potentially inflict great damage to its victims," Assaf Dahan, senior director of threat hunting at Cybereason, told ZDNet.

"The stolen data is being sold to the highest bidder in the underground community and can be used in many ways -- from identity theft, financial theft or even as an entry vector to penetrate an organization and in order to carry out a larger attack," Dahan added.

Raccoon receives regular updates from its authors and analysis of threads advertising the malware in underground forums suggests that the developers are willing to listen to users for ideas about new functionality. For example, several forum users have suggested the addition of a keylogger and the Raccoon authors replied that they were 'thinking' about adding it in future.

SEE: Houdini malware targets victims with keylogger, online bank account theft tools

While Raccoon is relatively new, it's quickly gaining a following among cyber criminals and has already been used to infect hundreds of thousands of endpoints across North America, Europe and Asia. And the way it's being offered 'as-a-service' could result in Raccoon becoming a significant threat to web users.

"In the not-so-long-ago past, it took great efforts and highly technical skills in order to operate a successful malware operation and turn it into a business that generates considerable revenues," said Dahan.

"Nowadays, a lot of hassle is being taken care of by the malware-as-a-service provider, making it more accessible for new types of cyber criminals," he concluded.

However, despite its growing popularity, Racoon can be thwarted: it uses known exploits to infect victims, so if users have applied security patches to their software, they should be able to stay safe against this malware attack.

Researchers at Cybereason have published a full list of Indicators of Compromise for the Raccoon Stealer.


Editorial standards