New Raccoon Stealer Campaign Underscores an Evolving Threat
Sophos researchers have detailed a new Racoon Stealer campaign that underscores the evolution of the information-stealer. According to Sophos, the Racoon Stealer has been distributed through a dropper campaign with the goal of stealing cryptocurrencies, cookies, and other valuable information located on target machines. Researchers confirmed that the campaign had been active up until recently. The original campaign’s infrastructure is no longer reachable, however, there are several similar operations that remain active. Therefore, researchers have published their findings to inform security professionals of the threat.
Racoon Stealer has been around for roughly two years, with developers running it as a service for other criminals to buy and utilize in their attacks. Racoon is controlled via a Tor-based command-and-control server and is regularly updated to contain new features and bug fixes. Sophos found that the tool is typically sold on boards that contain mostly Russian language, however, it runs English ads and offers English support services. The stealer will exfiltrate passwords, cookies, and autofill text for websites such as credit card information and personal data, from the targeted device. Racoon also targets cryptocurrency wallets. The most recent samples of the tool show that it has spread through a single dropper campaign leveraging malicious websites that advertise access to pirated software.