Raccoon Stealer Pivots Towards Self-Protection

Raccoon Stealer Pivots Towards Self-Protection
5 minute read

Malware has become an ever-growing threat in the cyber landscape with the rise in ransomware and as-a-service offerings. ZeroFox Threat Research has identified a change in focus among the developers of an information stealer known as Raccoon Stealer. In this post, we’ll take a closer look at the pivot towards protecting this information stealer through the use of “crypters” and offer recommendations for how security teams can address this ongoing threat.

Defining Raccoon Stealer

An information stealer (also known as an infostealer) typically acts as a Trojan designed to gather information from a system. The most common stealers collect data such as usernames and passwords, which it then sends to another system via email, over a network or other means of export. Keyloggers are another popular information stealer that focuses on logging a user’s keystrokes to uncover sensitive information and additional access.

Raccoon Stealer is an information stealer type of malware first advertised on various underground forums in April 2019 by an actor going by the handle "raccoonstealer." Like most stealers, it can steal stored auto-fill data, cookies, credentials, credit card data and history from Chromium-based browsers such as Google Chrome and Microsoft Edge. Targeted theft of several cryptocurrency wallets is also supported. Updates often add support for new cryptocurrencies, though it can also be configured to locate any wallet.dat file as well.

Its focus is on being small, efficient and simple enough for anyone to use. To accomplish this, Raccoon Stealer was created as a service offering, complete with a cloud control panel allowing would-be subscribers to configure everything in "just a few clicks." At just $75 per week or $200 per month, Raccoon Stealer is relatively cheap for threat actors as well.

Raccoon Stealer Updates Focus on Protecting Payloads

Multiple updates have happened since the start of the quarter, most notable among them being the addition of new "crypters." A crypter's purpose is to obfuscate a given binary by using tactics such as inserting junk code, breaking up the flow of code without changing the original functionality or encrypting sections of code so static signatures cannot detect them. Other updates include support for stealing several new cryptocurrency wallets and adding Discord to the list of targeted applications.

On August 4, 2021, the actor raccoonstealer announced that they were looking to cooperate with other crypter developers and had completed an "automatic system for issuing an encrypted build.'' This was seemingly in response to subscriber feedback.

The actor racoonstealer has also been observed reminding others that "usage without crypt is prohibited."

The recently introduced "Raccoon Clipper" was also updated at the end of July 2021, adding support for the Monero and ZCash cryptocurrencies. Racoon Clipper is an add-on developed separately from the main stealer and works as the name may suggest: monitoring the Windows clipboard. Once it detects a supported cryptocurrency address, it will replace it with one configured by the subscriber in hopes that unsuspecting victims will continue the transaction, unaware that the target address has been changed.

The group behind Raccoon Stealer has established itself as a capable group in the two years since they debuted, providing new features regularly and earning a primarily positive reputation within the community. They've also shown a willingness to add features based on the demands of their subscribers, as demonstrated by the recently created API for automatically generating encrypted builds. With the development of a new API for automatically providing obfuscated or "crypted" builds, new targeted applications and support for more cryptocurrency wallets, this quarter has been an active one for Raccoon Stealer.

Information Stealer Resources and Recommendations

As malware attacks continue to increase and the tactics evolve, security teams must act quickly. Here are a few recommendations from the ZeroFox Threat Research team:

  • When breaches occur, always change known compromised passwords, as well as passwords on critical accounts.
  • If the initial attack vector is known, ensure that the vulnerabilities leveraged are corrected immediately.
  • Perform a penetration test to determine weaknesses in the network configuration and correct the findings as soon as possible.
  • Enable 2-factor authentication for all your organizational accounts to help mitigate phishing and credential stuffing attacks.
  • Review network logs for potential signs of compromise and data egress.
  • Enforce administrative or application control restrictions to prevent the unauthorized installation of software or media.

The ZeroFox team continues to produce informative resources and engaging events to help security teams and organizations as a whole navigate unknown territory. To learn more about the top threat trends as well as predictions on the tactics and techniques expected to increase, download the latest ZeroFox Quarterly Threat Landscape Report.

See ZeroFox in action