{"id":19476,"date":"2022-06-30T06:10:04","date_gmt":"2022-06-30T14:10:04","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2022\/06\/30\/news-13209\/"},"modified":"2022-06-30T06:10:04","modified_gmt":"2022-06-30T14:10:04","slug":"news-13209","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2022\/06\/30\/news-13209\/","title":{"rendered":"Raccoon Stealer returns with a new bag of tricks"},"content":{"rendered":"<p><strong>Credit to Author: Christopher Boyd| Date: Thu, 30 Jun 2022 13:33:23 +0000<\/strong><\/p>\n<p>The popular malware Raccoon stealer, which suspended operations after a developer <a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/raccoon-stealer-malware-suspends-operations-due-to-war-in-ukraine\/\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">allegedly died<\/a> in the Ukraine invasion, <a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/raccoon-stealer-is-back-with-a-new-version-to-steal-your-passwords\/\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">has returned<\/a>.<\/p>\n<p>Raccoon stealer is malware as a service, with the developers selling it to would-be users. The operation is a tightly-run ship, to the extent that customers have <a href=\"https:\/\/news.sophos.com\/en-us\/2021\/08\/03\/trash-panda-as-a-service-raccoon-stealer-steals-cookies-cryptocoins-and-more\/\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">digital signatures tied to their executables<\/a>. If files end up on malware scanning services, the malware authors know exactly who the leak has come from.<\/p>\n<h2>So much data, so little time<\/h2>\n<p>The popular tool, used for data theft, is ubiquitous where stealing credentials is concerned. Cryptocurrency wallets, cookies, passwords, browser autofill data, and credit card data: <a href=\"https:\/\/blog.cyble.com\/2021\/10\/21\/raccoon-stealer-under-the-lens-a-deep-dive-analysis\/\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">pretty much anything<\/a> is up for grabs.<\/p>\n<p>Since 2019, Raccoon stealer has been lifting data from the unwary. Cheap to purchase and packing a large range of features, it is able to steal from <a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/racoon-malware-steals-your-data-from-nearly-60-apps\/\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">as many as 60 different applications<\/a> including:<\/p>\n<p><strong>Email<\/strong>: Outlook, Thunderbird, Thunderbird<br \/><strong>Browsers<\/strong>: Firefox, Chrome, Microsoft Edge, Internet Explorer, Vivaldi, SeaMonkey, Vivaldi<br \/><strong>Cryptocurrency app<\/strong>s: Exodus, Monero, Electrum, Jaxx<\/p>\n<p>Raccoon&#8217;s two most popular delivery methods are phishing campaigns (the tried and tested malicious Word document\/Macro combination) and exploit kits. Once data is located on the target system, it is eventually placed into a .zip file and sent to the malware Command and Control (C&amp;C) server.<\/p>\n<p>Its operators are constantly innovating, for example <a href=\"https:\/\/threatpost.com\/raccoon-stealer-telegram\/178881\/\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">making use of Telegram<\/a> to operate C&amp;C. This is one malware project which wasn&#8217;t going to stay gone for long.<\/p>\n<h2>An all new raccoon rampage<\/h2>\n<p>The new version, Raccoon Stealer 2.0, was claimed as being sold on Telegram and in circulation since May 17. However, these claims related to Telegram have since been shown to be fake.<\/p>\n<p>While functionality appears to be mostly similar to the original version, there are some <a href=\"https:\/\/blog.sekoia.io\/raccoon-stealer-v2-part-1-the-return-of-the-dead\/\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">notable differences<\/a>. The creators claim to have improved the software and resurrected their malware antics to &#8220;honour&#8221; the legacy of the teammate who died:<\/p>\n<blockquote class=\"wp-block-quote\">\n<p><em>After our teammate loss we made a decision that we can not leave our project and we will continue our work in his honour. Raccoon Stealer 2.0 was totally coded from the very beginning. New back-end, new front-end, absolutely new stealer software.<\/em><\/p>\n<\/blockquote>\n<h2>Smash and grab<\/h2>\n<p>Credit card data, autofill, browser passwords, and a big slice of cryptocurrency wallets are once more targets for Raccoon Stealer. The big change up seems to be related to how data is exfiltrated. This new version doesn&#8217;t appear to be particularly stealthy.<\/p>\n<p>The name of the game in data exfiltration is to make as few moves as possible to help evade detection. Sneaky malware will collect data as it goes, before eventually sending the whole lot in a zip in one go. If an infection is constantly pinging away, the chances of it being caught by security tools increases dramatically.<\/p>\n<p>Here, Racoon Stealer seems to be throwing a little caution to the wind. The stealer sends data every single time it adds to its exfiltrated data collection. Researchers note that Raccoon Stealer 2.0 possesses no obfuscation or anti-analysis techniques.<\/p>\n<p>I&#8217;d love to know if some sort of data driven analysis led developers to the conclusion that smash and grab is ultimately more suited to their business model than waiting it out. Ultimately, this may be the one bright note for embattled IT admins in the wake of everyone&#8217;s least favourite raccoon&#8217;s re-emergence onto the malware scene.<\/p>\n<\/p>\n<p>The post <a rel=\"nofollow\" href=\"https:\/\/blog.malwarebytes.com\/cybercrime\/2022\/06\/raccoon-stealer-returns-with-a-new-bag-of-tricks\/\">Raccoon Stealer returns with a new bag of tricks<\/a> appeared first on <a rel=\"nofollow\" href=\"https:\/\/blog.malwarebytes.com\">Malwarebytes Labs<\/a>.<\/p>\n<p><a href=\"https:\/\/blog.malwarebytes.com\/cybercrime\/2022\/06\/raccoon-stealer-returns-with-a-new-bag-of-tricks\/\" target=\"bwo\" >https:\/\/blog.malwarebytes.com\/feed\/<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p><strong>Credit to Author: Christopher Boyd| Date: Thu, 30 Jun 2022 13:33:23 +0000<\/strong><\/p>\n<p>Infamous malware Raccoon Stealer is reportedly back in business after a break.<\/p>\n<p>The post <a rel=\"nofollow\" href=\"https:\/\/blog.malwarebytes.com\/cybercrime\/2022\/06\/raccoon-stealer-returns-with-a-new-bag-of-tricks\/\">Raccoon Stealer returns with a new bag of tricks<\/a> appeared first on <a rel=\"nofollow\" href=\"https:\/\/blog.malwarebytes.com\">Malwarebytes Labs<\/a>.<\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[10488,10378],"tags":[4503,3917,20214,3764,12640,26779,26780],"class_list":["post-19476","post","type-post","status-publish","format-standard","hentry","category-malwarebytes","category-security","tag-cybercrime","tag-data-theft","tag-exfiltration","tag-malware","tag-malware-as-a-service","tag-raccoon-stealer","tag-raccoon-stealer-2-0"],"_links":{"self":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/19476","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=19476"}],"version-history":[{"count":0,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/19476\/revisions"}],"wp:attachment":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=19476"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=19476"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=19476"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}