Contents:
Raccoon malware, a commonly-used information stealing virus that’s being sold as a service, has received several upgrades from its creator to add tools in order to extract cryptocurrency from users’ devices.
What Is Raccoon Malware?
Raccoon (also known as Mohazo or Racealer) is a modern info stealer type malware sold as a Malware as a Service. It can be acquired for a subscription for the price of $200 monthly. According to researchers, its developer obtained approximately $1200 in subscription fees over the course of six months.
The malware, first sighted in 2019 has infected more than 100.000 computers and rapidly became one of the most popular viruses on the Russian dark web forums.
The security organization Sophos has been tracking a particularly functional campaign by cybercriminals employing Raccoon Stealer and noticed that the malware was spread via droppers posing as installers for cracked and stolen software.
This is uncommon for Raccoon Stealer service as it usually spread malware through spam emails.
According to the new research from Sophos, the malware dropped to the targets might include:
- Djvu/Stop (a ransomware targeted in the first place at home users)
- crypto-miners
- YouTube click-fraud bots
- “clippers” (malware that steals cryptocurrencies by making changes to the victim’s system clipboard during cryptocurrency transactions and modifying the destination wallet)
- malicious browser extensions
What Kind of Information Is Stealing?
Raccoon is capable of gathering passwords, cookies, and the “autofill” text for websites, including credit card information and other private identifying information that may be stored by the browser.
A recent clipper update allows Raccoon Stealer to target cryptocurrency wallets, and recover or drop files on damaged systems.
Nevertheless, the upgraded information malware stealer also has a clipper for stealing cryptocurrency. The clipper dubbed QuilClipper snatches cryptocurrency and Steam trade transactions, directing them to the malware’s developer.
QuilClipper steals cryptocurrency and Steam transactions by continuously monitoring the system clipboard of Windows devices it infects, watching for cryptocurrency wallet addresses and Steam trade offers by running clipboard contents through a matrix of regular expressions to identify them.
How Does It Work?
Raccoon malware functions through a Tor-based command-and-control (C2) server to manage the exfiltration of data and victim management.
Each executable of their malware has a signature bound up with the user so that if a sample of their malware appears on VirusTotal or other malicious sites, “they can trace it back to the customer who may have leaked it.”
Security researchers at Sophos stated the Raccoon Malware had stolen approximately $13,200 worth of cryptocurrency and mined another $2,900 over a 6-month period.
It’s these kinds of economics that make this type of cybercrime so attractive — and pernicious.
Multiplied over tens or hundreds of individual Raccoon actors, it generates a livelihood for Raccoon’s developers and a host of other supporting malicious service providers that allows them to continue to improve and expand their criminal offerings.