Raccoon Infostealer

Once the data is gathered, it communicates with its C&C server and receives a list of IP addresses to exfiltrate the stolen data to. In order for the victim’s compromised machine to establish an initial connection with the C2 server, the malware generates a profile based on the victim’s information as shown below.

Once the profile has been generated and sent to the C2 server, An initial connection tunnel is established and the victim’s host machine receives a configuration file from its master. The malware then parses URLs in the configuration file and downloads libraries from those URLs in order to continue its execution.

The malware begins its next phase of attack by enumerating the existence of browsers and email clients on a victim’s computer. It then goes through “AppData” directory and search for application folders that contain strings such as “User Data.” Once the target folder is located, the malware performs SQL queriesusing sqlite3.dll to fetch the victim’s auto-login information such as passwords, credit card information and browser history. It’s important to note that the information from the file above is extracted in encrypted format. Raccoon Stealer also has the capability to find the key from the “local file” of the browser to decrypt that information before sending it to its C2 server.

In addition to its ability to perform basic system fingerprinting and target browsers, Racoon Info stealer can also perform the following actions:

According to the technical analysis provided by Sekoia, what makes this version unique compared to the original version is that it exfiltrates data each time it collects a new item. Instead of continuing to collect data and sending it in a compressed format, the new version has been observed exfiltrating data as soon as it’s added to the collection folder. This change in behavior has led experts to believe that the malware has now become more effective at stealing bits and pieces of sensitive information at the cost of being detected while in communication with C2 server.

Another upgrade to the new version is the malware’s encryption mechanism. The original Racoon stealer was designed to only encrypt the IP addresses of the C2 server. However, the new version now encrypts all the string literals such as APIs used for enumeration. This new feature allows the malware to be more evasive and provides more time to stay hidden on a victim’s computer while it continues to collect new information from the compromised host.

In this blog, we discussed the features and capabilities of Raccoon Stealer and how much more dangerous it has become with its second version. Raccoon Stealer is a Malware As a service that cybercriminals can purchase and subscribe for a cost of $275 per month. it is constantly updated with more features, making it one of the most preferred information stealers for cybercriminals. Its versatility has made the malware a popular choice not just for attackers that are financially motivated but for those that are looking for credentials to achieve privilege escalation and lateral movement for further infection and damage.

As Raccoon Stealer becomes more popular, it is important for every organization to be constantly updated on the malware and start defending against information stealing. An organization should patch systems and applications that are vulnerable and avoid opening suspicious files or emails in order to reduce attack vectors and defend against Raccoon infostealer.