| Name | Raccoon |
| Additional Names | Racealer, RecordBreaker (Raccoon Stealer v2) |
| Type of Malware | Infostealer |
| Date of Initial Activity | 2019 |
| Motivation | Steals browser autofill passwords, history, and cookies, credit cards, usernames, passwords, cryptocurrency wallets, and other sensitive data |
| Attack Vectors | Phishing emails, drive-by downloads, or malicious attachments |
| Targeted System | Windows |
Overview
Raccoon infostealer was first observed in April 2019. This infostealer targets Windows systems and is sold as a MaaS (Malware-as-a-Service) in underground forums.It is a simple infostealer capable of collecting browser cookies, history, login credentials, crypto currency wallets and credit card information.
Raccoon’s payload is a modular C/C++ binary designed to infect 32-bit and 64-bit systems Windows-based systems. In early 2022, Raccoon’s maintainers shut down operations temporarily due to the impact of the Ukraine war on its members.
However, in June 2022, Raccoon returned with an updated version, including upgraded infrastructure and a completely rebuilt payload.
Targets
Targets Regular Users.
Tools/ Techniques Used
Upon execution, Raccoon checks for the presence of its mutex: %UserName% + “m$V1-xV4v” on the target system to avoid a double infection. If not found, Raccoon creates the mutex, fingerprints the target system, and sends the data to one of its command-and-control (C2) outposts. Raccoon typically uses Telegraph or Discord for C2 operations. Raccon’s C2 host location is obfuscated in the payload using base64 encoding and RC4 encryption.
From there, Raccoon uses the process injection technique to hijack the legitimate explorer.exe process and spawns new processes with elevated privileges. Depending on the target’s system profile, Raccoon imports copies of legitimate Windows DLLs, extracts sensitive information from well-known applications, and follows a standard process for each targeted application.
This process first locates each application’s cache of sensitive information, copies the original cache file to a temporary folder, extracts and encrypts sensitive data from the cache, and finally writes the contents to Raccoon’s main operating directory. For browsers, Raccoon uses sqlite3.dll to query the application’s SQLite database and steals user autologin passwords, credit card data, cookies, and browser history. Some versions of Raccoon can also break TLS encryption under certain conditions allowing Raccoon to effectively man-in-the-middle (MiTM) the infected host’s internet connection.
Notably, some versions of Raccoon check the target’s user language preference identifier and halt operation if Russian, Ukrainian, Belarusian, Kazakh, Kyrgyz, Armenian, Tajik, or Uzbek locations are detected. However, this safety measure to protect certain groups is only sometimes employed.
Raccoon also has custom modules to steal data from the following applications:
- Cryptocurrency applications: extracts Exodus, Monero, Jaxx, Binance, and others by looking for wallet data files in default locations.
- Password managers: extracts Bitwarden, 1Password, and LastPass data from their default locations.
- Email clients: extracts email communications from Outlook, ThunderBird, and Foxmail.
- Other Applications: extracts Steam gaming platform data, including the Steam Authorisation or Steam Sentry File, as well as Discord, and Telegram account login credentials.
Impact / Significant Attacks
Raccoon has been attributed with hundreds of thousands of infections and is comparable to the prolific Azorult stealer malware in terms of its impact on global cybersecurity.
During its peak, Raccoon was one of the most discussed malware strains on hacker forums, where its operators promote Raccoon and provide client support to cyber criminals.
