Company specialists CyberArk warned that the Raccoon infostiller (aka Legion, Mohazo, and Racealer) is able to steal data from 60 different applications, including popular browsers, email clients and cryptocurrency wallets.
The Raccoon infostiller appeared in early 2019 and since April has been actively distributed through underground forums using the malware-as-a-service (MaaS) scheme. Late last year, Cybereason Nocturnus researchers noted that the demand for Raccoon on the black market was gradually growing, and as a result, it infected hundreds of thousands of systems in North America, Europe and Asia. Both individuals and organizations became victims of these attacks.
According to Cybereason Nocturnus researchers, Raccoon has such “advantages” as an easy-to-use control panel, bulletproof hosting and round-the-clock customer support in Russian and English. Moreover, at the time of writing, the use of malvari cost only $ 200 per month ($ 75 per week).
Raccoon infiltrates victims' machines using exploit kits, phishing emails, or using another malware that has already penetrated the system. For example, in 2019, Raccoon was distributed through a set of Fallout exploits.
Now, CyberArk analysts write that Raccoon can hardly be called a complex tool, but it continues to develop rapidly. For example, Raccoon recently added the ability to steal credentials from FileZilla, user interface errors were fixed, and developers added an option to encrypt user assemblies of malvari directly from the UI for subsequent loading as a DLL.
As a result, the malware currently written in C ++ is capable of stealing information from 35 different browsers and 60 applications in general.
Raccoon is able to steal financial and credentials, information about an infected machine (OS version, language used, lists of installed applications, connected equipment, etc.), data from cryptocurrency wallets, and also extract information from browsers, including cookies, history and autocomplete.
Among other things, the malware is targeted at almost all seemingly popular browsers: Google Chrome, Google Chrome (Chrome SxS), Chromium, Xpom, Comodo Dragon, Amigo, Orbitum, Bromium, Nichrome, RockMelt, 360Browser, Vivaldi, Opera, Sputnik, Kometa, Uran, QIP Surf, Epic Privacy, CocCoc, CentBrowser, 7Star, Elements, TorBro, Suhba, Safer Browser, Mustang, Superbird, Chedot, Torch, Internet Explorer, Microsoft Edge, Firefox, WaterFox, SeaMonkey and PaleMoon.
Raccoon also tries to hack the mail clients of ThunderBird, Outlook and Foxmail, and looks for Electrum, Ethereum, Exodus, Jaxx, Monero and Bither wallets in the infected system, trying to detect the wallet.dat file and find out the credentials.
For each target application, the same scheme applies. The malware steals application files containing confidential data: copies them to a temporary folder, performs information extraction and decryption procedures, writes the result to a separate file, and then transfers it to the management server. Raccoon uses special DLLs to extract and decrypt credentials: the JSON configuration file contains the URL from where the malware downloads these libraries.