Raccoon Malware, a success case in the cybercrime ecosystem

Pierluigi Paganini February 24, 2020

Raccoon Malware is a recently discovered infostealer that can extract sensitive data from about 60 applications on a targeted system.

Racoon malware, Legion, Mohazo, and Racealer, is an infostealer that recently appeared in the threat landscape that is advertised in hacking forums.

The malware is cheap compared to similar threats, it is able to steal sensitive data from about 60 applications, including (browsers, cryptocurrency wallets, email and FTP clients).

The Raccoon stealer was first spotted in April 2019, it was designed to steal victims’ credit card data, email credentials, cryptocurrency wallets, and other sensitive data.

Raccoon is offered for sale as a malware-as-a-service (MaaS) that implements an easy-to-use automated backend panel, operators also offer bulletproof hosting and 24/7 customer support in both Russian and English. The price of the Raccoon service is $200 per month to use.

The Raccoon stealer is written in C++ by Russian-speaking developers that initially promoted it exclusively on Russian-speaking hacking forums. The malware is now promoted on English-speeaking hacking forums, it works on both 32-bit and 64-bit operating systems.


The analysis of the logs for sale in the underground community allowed the experts to estimate that Raccoon infected over 100,000 users worldwide at the time of its discovery.

The list of targeted applications includes cryptocurrency apps for major currencies (Electrum, Ethereum, Exodus, Jaxx, and Monero), popular browsers (Google Chrome, Mozilla Firefox, Microsoft Edge, Internet Explorer, Opera, Vivaldi, Waterfox, SeaMonkey, UC Browser) and email client like Thunderbird, Outlook, and Foxmail.

According to a report published by security firm CyberArk, Raccoon is mostly delivered through Exploit Kits and Phishing Campaigns.

The malware is also able to collect system details (OS version and architecture, language, hardware info, enumerate installed apps).

Attackers can customize its Raccoon instance to capture snapshots or to deliver additional malicious payloads.

“Like most of the credential stealers, the client (i.e. the attacker) can customize his or her own configuration for the stealer functionality, which can be saved in the binary built by the malware or in the C&C server, and sent back to the malware when executing.” reads the report published by CyberArk.

“In Raccoon, after the client chooses the configuration, the malware builder generates a configuration ID for the client’s configuration and writes this ID to the compiled malware.”

Experts also discovered that attackers leverage the malware for lateral movements once compromised a system on the target network.

Researchers pointed out that the malware is under continuous development, its authors are actively improving it by addressing multiple issues and implementing new features.

“the Raccoon team members have improved the stealer and released new versions for the build, including the apability to steal FTP server credentials from FileZilla application and login credentials from a Chinese UC Browser.” continues the analysis. “In addition, the attacker panel has been improved, some UI issues were fixed and the authors added an option to encrypt the builds right from the panel and downloaded it as a DLL.”

Even if the malware is very simple it is considered very efficient and its low price makes it easy to rent.

“What used to be reserved for more sophisticated attackers is now possible even for novice players who can buy stealers like Raccoon and use them to get their hands on an organization’s sensitive data. And this goes beyond usernames and passwords to information that can get them immediate financial gain like credit card information and cryptocurrency wallets.” concludes CyberArk.

“Even though Raccoon is not the most sophisticated tool available, it is still very popular among cybercriminals and will likely continue to be.”

Additional technical details about the malware

CyberArk’s report today comes with indicators of compromise (IoC) and a YARA rule to catch a Raccoon infection.

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, malware)

[adrotate banner=”5″]

[adrotate banner=”13″]

you might also like

leave a comment