A second major version of the Raccoon Stealer malware, which offers criminals a better password-stealing functionality and more operational capacity, is once again getting a lot of attention on cybercrime forums.

When one of its operators revealed that their lead developers had died during Russia’s invasion of Ukraine, the Raccoon Stealer programme was shut down in March 2022. The current team committed to coming back with an updated version and relaunching the MaaS (malware as a service) project with more features and enhanced infrastructure.

The program’s code has been totally upgraded, and screenshots and keyboard tracking have been added to the program’s list of functions, according to the researchers. The entire effects of the code are still unknown, although it is predicted that it will soon be made available on black markets.

 

Racoon Stealer

A high-risk trojan-type programme Raccoon Stealer, also known as Legion, Mohazo, and Racealer, secretly enters the system and gathers user data. Having this trojan on your computer could cause a number of problems.

Personal data is gathered by Raccoon Stealer like passwords, browser cookies, autofill information, and information about crypto wallets are all included. Additionally, Raccoon Stealer logs system data including geolocation and Internet Protocol (IP) addresses.

It might be used by online criminals to transfer users’ money between accounts and crypto wallets (e.g., PayPal, bank accounts, etc.). Therefore, victims can lose their savings. Furthermore, hacked accounts (such Facebook, emails, etc.) can be used fraudulently to borrow funds.

 

How it infiltrates the computer?

The Smoke Loader trojan is injected into systems by the Rig Exploit Kit (RigEK), a known distribution tool for Raccoon Stealer. Raccoon Stealer is then downloaded and injected as a by-product. However, a variety of additional tools and techniques are also utilized to spread these trojans.

This consists of third-party websites that offer software downloads, spam emailing campaigns, phoney software cracks and updaters, and other trojans (leading to chain infections). Cybercriminals spread malware by disguising it as genuine software through unofficial download sources (free file hosting websites, peer-to-peer (P2P) networks, freeware download websites, etc.).

Malware is misled into being manually downloaded and installed by users. Similar techniques are employed in spam campaigns. Cybercriminals send millions of emails with the same malicious attachments (files/links) and misleading content. By taking use of defects or flaws in outdated software or by just downloading and installing malware in place of updates, this infects systems.

Furthermore, trojans result in chain infections. These dangerous programmes attack computers secretly, downloading and installing more malware in the background (usually, high-risk infections, such as other trojans).

 

Capabilities of New Racoon Stealer

Raccoon Stealer 2.0 still has the capacity to take cookies, auto-fill information, and passwords from browsers. Additionally, it is capable of stealing any credit card information saved in the browser.

Additionally, the most recent Raccoon Stealer version is far better than the one before it at stealing cryptocurrency. Raccoon Stealer has the capacity to attack several browser plugins that are connected to cryptocurrencies in addition to cryptocurrency wallets.

The capacity of Raccoon Stealer’s creators to gather file data has also been improved. Additionally, the updated Raccoon Stealer programme may record a list of the programmes that are installed on the target computer, which might be helpful to an attacker in determining what kinds of data files could be present and valuable to steal.

The ability of Raccoon Stealer to take screenshots from an infected system is probably the most alarming. There are innumerable other malicious uses for screen grabs. For instance, it’s possible for an attacker to watch someone enter payment details for a purchase and record a screenshot of the checkout screen.

 

Remediation Action

• Be cautious when using the internet and downloading, installing, and upgrading software to avoid this problem.
• Analyses every email attachment received with care. Do not open any files or links if they are not relevant. Email addresses with suspicious or unfamiliar email headers should not be trusted with attachments.
• Third-party downloaders and installers should be avoided because they are frequently used to spread malware. Download software and applications from the reputed/official sources only.
• Update installed software and operating systems regularly.
• To prevent malware attacks, the user must make sure that all of their computers are configured with malware protection, and that malware protection is kept up to date.