Security researchers from Sophos Labs recently tracked a new campaign distributing the well-known Raccoon inforstealer. The malware, which is run on as-a-service basis by its developers, has been updated with new tactics, techniques and procedures to steal critical information from its targets. The information Raccoon steals can be uploaded either for sale in criminal marketplaces, or used by cybercriminals for other purposes.
The malware is not excessively sophisticated or innovative, yet its malware-as-a-service (MaaS) model gives cybercriminals a quick-and-easy method to make money by compromising sensitive user details.
The Raccoon infostealer was discovered by Cybereason researchers, who say that “this strain of malware first emerged as recently as 2019, and has already established a strong following among cybercriminals. Its popularity, even with a limited feature set, signals the continuation of a growing trend of the commoditization of malware as they follow a MaaS (Malware-as-a-Service) model and evolve their efforts.”
Raccoon Infostealer-As-A-Service
The malware appears to be controlled from a Tor-based command and control panel server. Like many other commercial web-based services, it is constantly under development with new features and bug fixes. It is even providing automated updates to malware already deployed on infected machines, Sophos says. Even though the malware-as-a-service is mostly sold on Russian speaking forums, it also has advertisements in English and offers support in English.
What is Raccoon capable of? The infostealer can harvest passwords, cookies, and the autofill text for websites, including credit card details and PII browser may store. The malware recently received a clipper update, meaning that it can now target cryptocurrency wallets, and can retrieve or drop files on compromised hosts.
How much does Raccoon malware cost?
According to Sophos analysis, an entry-level, seven-day subscription to Raccoon Stealer is available at $75. This type of malware can be purchased by anyone, regardless of any reputation in the criminal world, the researchers point out. “Services such as Raccoon permit nascent cybercriminals to establish a reputation that would let them subscribe to, or purchase, more advanced malware from more exclusive vendors.”
It is worth mentioning that binaries and even source code for some infostealers can be obtained for free. For example, a cracked version of the Azorult information stealer builder is posted on several download sites. Not to mention that there are various offensive security tools, like LaZagne, that threat actors can use for the same purpose. The LaZagne tool specifically has been used by the Dharma ransomware cybercrime gang.
The latest Raccoon campaigns also use SEO
“The vast majority of recent Raccoon samples are distributed via a single dropper campaign leveraging malicious websites,” Sophos says. Search engine optimization, shortly known as SEO, is another technique recently deployed by the cybercriminals behind the infostealer. SEO tricks navigate people looking for a particular software package to visit specific malicious sites and get infected with the malware. “Search for “[software product name] crack” on Google return links to websites that purport to provide downloads of software with license requirements bypassed,” the report shows.
The latest Raccoon campaign comes with search-engine optimized malicious sites that come high in Google results. In addition, they are also promoted on a YouTube channel with video about wares, or pirated software. The researchers also came across samples in telemetry rooted with two specific domains: gsmcracktools.blogspot.com and procrackerz.org.
The malicious sites are typically advertised as repositories of cracked legitimate software packages. However, the files delivered in the campaign were actually masqueraded as droppers. If the potential victim clicks on a link to download such a file, they get through a set of redirector JavaScripts hosted on Amazon Web Services. Then, the victim is sent to one of multiple download locations that deliver various versions of the dropper.
The reason this campaign has been so successful is the economics of an inforstealer.
“Multiplied over tens or hundreds of individual Raccoon actors, it generates a livelihood for Raccoon’s developers and a host of other supporting malicious service providers that allows them to continue to improve and expand their criminal offerings. And those offerings largely hit consumers—especially, as in this case, when they make use of searches for free versions of commercial software,” Sophos concludes.