- Aug 17, 2014
Criminals behind the Raccoon Stealer platform have updated their services to include tools for siphoning cryptocurrency from a target’s computer and new remote access features for dropping malware and scooping up files.
The stealer-as-a-service platform, whose customers are typically rookie hackers, offers turnkey services for pilfering browser-stored passwords and authentication cookies. According to new research from Sophos Labs published Tuesday, the platform has received a noteworthy update that includes new tools and distribution networks to boost infected targets.
For starters, Raccoon Stealer has pivoted from inbox-based infections to ones that leverage Google Search. According to Sophos, threat actors have been proficient in their optimization of malicious web pages to rank high in Google search results. The bait to lure victims in this campaign is software pirating tools such as programs to “crack” licensed software for illicit use or “keygen” programs that promise to generate registration keys to unlock licensed software.
What is unique about Raccoon Stealer is that, unlike other info-stealer services and malware targeting individuals via inboxes, the campaign Sophos tracked is distributed via malicious websites.
Researchers said that victims falling for the ploy download a first-stage payload of an archive. The archive contains another password-protected archive and a text document containing a password used later in the infection chain. “The archive containing the ‘setup’ executable is password-protected to evade malware scanning,” they wrote.
Eventually, opening the executable delivers self-extracting installers. “They have signatures associated with self-extracting archives from tools such as 7zip or Winzip SFX, but cannot be unpacked by these tools. Either the signatures have been faked, or the headers of the files have been manipulated by the actors behind the droppers to prevent unpacking without execution,” Sophos wrote.
Sophos said malware delivered to the victim can include:
- “Clippers” (malware which steal cryptocurrencies by modifying the victim’s system clipboard during transactions and changing the destination wallet)
- Malicious browser extensions
- YouTube click-fraud bots
- Djvu/Stop (a ransomware targeted primarily at home users)
An update to the stealer-as-a-service platform hides in pirated software and pilfers crypto-coins and installs a software dropper function for stealth downloads of more malware.