First observed in 2019 and advertised (Figure 1) as a ‘Malware-as-a-Service’ (MaaS) threat on various cybercriminal forums, Raccoon is an information stealer targeting victim credentials and cryptocurrency wallets.
Seemingly favored by some threat actors due to its simplicity, the malware element of Raccoon omits advanced features, such as those used to evade detection, and instead focuses on the ‘stealer’ task in hand.
Whilst this approach requires those deploying the threat to utilize third-party tools for evasion, such as cryptors or packers to thwart signature-based detection, the ongoing popularity and apparent success of Raccoon suggests that this has not been a problem for many.
Lacking their own distribution method, in the past Raccoon incidents appear to have begun with the delivery of malicious document attachments sent via an indiscriminate unsolicited email (malspam) campaign. It was also reported that Raccoon malware had dropped using third-party exploit kits and other malware families.
Raccoon samples have been seen to mimic other executables although, based on their filenames, these have likely been distributed via sites hosting copyright-infringing materials which, in themselves, should be considered high-risk and be avoided.
Further leading to Raccoon’s continued prevalence and success, those behind this MaaS offering are lauded for their high levels of service, and their management dashboard, much like the malware element, is reportedly straightforward and easy to use.
In 2019 Raccoon advertised on various cybercriminal forums with subscriptions available for $499 (US) for four months, $200 for one month and $75 for a ‘trial’ week. The minimal outlay combined with a positive reputation appealed to many less sophisticated threat actors, especially given the potential return on investment (ROI) following the resale or abuse of stolen credentials and cryptocurrency wallets.
But yesterday, Raccoon Infostealer announced its return after a hiatus of 6 months
