Raccoon Stealer Crawls Into Telegram


Level 85
Thread author
Honorary Member
Top poster
Content Creator
Malware Hunter
Aug 17, 2014
A credential stealer that first rose to popularity a couple of years ago is now abusing Telegram for command-and-control (C2). A range of cybercriminals continue to widen its attack surface through creative distribution means like this, researchers have reported.

Raccoon Stealer, which first appeared on the scene in April 2019, has added the ability to store and update its own actual C2 addresses on Telegram’s infrastructure, according to a blog post published by Avast Threat Labs this week. This gives them a “convenient and reliable” command center on the platform that they can update on the fly, researchers said.

The malware – believed to be developed and maintained by Russia-affiliated cybercriminals – is at its core a credential stealer but is capable of a range of nefarious activity. It can steal not only passwords but also cookies, saved logins and forms data from browsers, login credentials from email clients and messengers, files from crypto wallets, data from browser plugins and extensions, and arbitrary files, based on commands from its C2.

“In addition, it’s able to download and execute arbitrary files by command from its C2,” Avast Threat Labs researcher Vladimir Martyanov wrote in the post. This, in combination with active development and promotion on underground forums, makes Raccoon Stealer “prevalent and dangerous,” he said.