Raccoon Infostealer

Raccoon Infostealer (AKA Racealer), first observed in April 2019, is a simple but popular, effective, and inexpensive Malware-as-a-Service (MaaS) sold on Dark Web forums. Raccoon’s payload is a modular C/C++ binary designed to infect 32-bit and 64-bit systems Windows-based systems. Raccoon stealer targets browser autofill passwords, history, and cookies, credit cards, usernames, passwords, cryptocurrency wallets, and other sensitive data. 

In early 2022, Raccoon’s maintainers shut down operations temporarily due to the impact of the Ukraine war on its members. However, in June 2022, Raccoon returned with an updated version, including upgraded infrastructure and a completely rebuilt payload. In October 2022, a member of the Ukraine-based Raccoon group was indicted by a US grand jury for conspiracy to violate the Computer Fraud and Abuse Act for his alleged participation in the development of Raccoon. 26-year-old Mark had previously faked his death, claiming to be killed in the Russian-Ukraine war.

Raccoon has been attributed with hundreds of thousands of infections and is comparable to the prolific Azorult stealer malware in terms of its impact on global cybersecurity. During its peak, Raccoon was one of the most discussed malware strains on hacker forums, where its operators promote Raccoon and provide client support to cyber criminals. Raccoon’s MaaS costs only $75 per week or $200 monthly.

Upon execution, Raccoon checks for the presence of its mutex: %UserName% + “m$V1-xV4v” on the target system to avoid a double infection. If not found, Raccoon creates the mutex, fingerprints the target system, and sends the data to one of its command-and-control (C2) outposts. Raccoon typically uses Telegraph or Discord for C2 operations. Raccon’s C2 host location is obfuscated in the payload using base64 encoding and RC4 encryption. From there, Raccoon uses the process injection technique to hijack the legitimate explorer.exe process and spawns new processes with elevated privileges.

Depending on the target’s system profile, Raccoon imports copies of legitimate Windows DLLs, extracts sensitive information from well-known applications, and follows a standard process for each targeted application. This process first locates each application’s cache of sensitive information, copies the original cache file to a temporary folder, extracts and encrypts sensitive data from the cache, and finally writes the contents to Raccoon’s main operating directory. 

For browsers, Raccoon uses sqlite3.dll to query the application’s SQLite database and steals user autologin passwords, credit card data, cookies, and browser history. Raccoon also has custom modules to steal data from the following applications:

• Cryptocurrency applications: extracts Exodus, Monero, Jaxx, Binance, and others by looking for wallet data files in default locations
• Password managers: extracts Bitwarden, 1Password, and LastPass data from their default locations
• Email clients: extracts email communications from Outlook, ThunderBird, and Foxmail
• Other Applications: extracts Steam gaming platform data, including the Steam Authorisation or Steam Sentry File, as well as Discord, and Telegram account login credentials

Some versions of Raccoon can also break TLS encryption under certain conditions allowing Raccoon to effectively man-in-the-middle (MiTM) the infected host’s internet connection. Notably, some versions of Raccoon check the target’s user language preference identifier and halt operation if Russian, Ukrainian, Belarusian, Kazakh, Kyrgyz, Armenian, Tajik, or Uzbek locations are detected. However, this safety measure to protect certain groups is only sometimes employed.

The best way to defend against a Raccoon Infostealer attack is to employ advanced endpoint protection on all devices and enforce strong access controls, including multi-factor authentication to prevent stolen credentials from leading to account takeover. 

Some activities that can help protect against a Raccoon attack:

• Consider user awareness training to educate personnel about phishing techniques and develop standard operating procedures (SOP) for handling suspicious emails and documents
• Implement strong network security, including least-privilege, role-based access controls, multi-factor authentication, and defense-in-depth to reduce the potential damage of stolen credentials 
• Install and configure advanced endpoint security products on all endpoints to detect indicators of compromise (IOC) and take defensive action to block Raccoon payloads from executing
• Implement Zero Trust solutions wherever possible, giving priority to critical systems