Raccoon Stealer Stealware

Overview

Raccoon Stealer (Raccoon) was first reported back in 2019 and has remained active to the current day with two variants, namely Raccoon and Racoon 2.0. The malware employs similar attack vectors as other stealware variants, including credential stealing, keylogging, PowerShell attack and process hollowing. The primary objective of Raccoon is to steal login data or sensitive banking information from victim systems and subsequently use them to infiltrate valuable online accounts or to commit identity fraud for further financial exploitation.

A significant portion of detected Raccoon credential and domain dark web leaks have come via a Russian Market threat actor. This threat actor, along with many others, uses Raccoon for its credential stealing capabilities and resulting financial gain. Raccoon targets a victim’s system after they have visited a compromised web application, often sent to the victim via a phishing email. If alerted by their EDR, a victim can search for the relevant Indicator of Compromise (IOC) to confirm any successful exploitation and initiate the recovery process.

Raccoon is a service that can be subscribed to for as little as £75 per week or £200 per month, and enables threat actors, that lack their own infrastructure and self-made capabilities to engage in credential stealing activities. The relatively affordable malware option is almost certainly attractive for criminal groups of all sizes and ranks Raccoon as a highly prevalent malware across the online domain. Raccoon is written in C++ and therefore can compromise all three major operating systems; Windows, macOS and Linux.

The Federal Bureau of Investigation (FBI) has been monitoring operations pertaining to Raccoon stealer since March 2022 and has identified more than 50 million unique leaked credentials, ranging from emails, credit card numbers and passwords. Most instances of credential leaks are via third-party exploitation, in which a member of an organisation uses their official business email to log into a personal account. Following the site becoming affected by Raccoon, the official business email flags as a breach for the associated organisation. Therefore, additional investigation is required to assess the level of danger posed by credential leaks.

As of October 2022, the founder of Raccoon was arrested in the Netherlands and now faces significant legal charges1. It is unclear how this arrest will affect the future threat landscape, but the stealware appears to remain active as of the time of writing. In April 2023, The National Technical Research Organisation (NTRO) reported that eight government entities had been targeted by the Raccoon Stealer malware.