Malware-As-A-Service Offering Is Popular on Underground Forums, Researchers Say
The operators behind the “Raccoon” infostealer Trojan have added new capabilities to this malware-as-service offering, which now has the ability to steal data from over 60 applications, according to researchers at the security firm CyberArk.
See Also: How to Defend Your Attack Surface
Cybercriminals are using the malware to target login credentials, credit card information, cryptocurrency wallets and browser information, according to the researchers’ report.
Raccoon, first spotted for sale in Russian underground forums in April 2019, rents for $75 per week or $200 per month, according to the report.
While an earlier report from security firm Cybereason found that Raccoon enabled credential stealing from Tor-hosted devices, the new analysis by CyberArk shows that the infostealer has now expanded its reach into popular web browsers, including Google Chrome, Mozilla Firefox, Microsoft Edge and others.
In addition, Raccoon now allows cybercriminals to exfiltrate data from a wide range of cryptocurrency wallets, including Electrum, Ethereum, Exodus, Jaxx and Monero, the researchers say. And the infostealer can now target a number of e-mail clients, such as Thunderbird, Outlook and Foxmail.
Attackers using Raccoon are looking to steal privileged credentials so they can achieve privilege escalation and lateral movement, according to the CyberArk researchers. “What used to be reserved for more sophisticated attackers is now possible even for novice players who can buy stealers like Raccoon and use them to get their hands on an organization’s sensitive data,” the report states.
The analysis by the CyberArk researchers finds that Raccoon remains a fairly unsophisticated malware-as-a-service offering, but as its operators continue to develop it, it is becoming more capable of performing a wider range of malicious functions.
In addition to stealing data from browsers and cryptocurrency wallets, Racoon can collect information from a targeted device, such as the version of the operating system running, system language, hardware information and lists of installed applications, the report notes.
Website advertising Raccoon malware-as-a-service (Source: CyberArk)
Cybercriminals can also configure Raccoon to take screenshots of a targeted device and then use the malware as a dropper to deploy second-stage malware, the report adds.
Because Raccoon is easy to use, it enables less sophisticated cybercriminals to leverage it for various criminal schemes, according to CyberArk.
“What used to be reserved for more sophisticated attackers is now possible even for novice players who can buy stealers like Raccoon and use them to get their hands on an organization’s sensitive data,” the report notes. “And this goes beyond usernames and passwords to information that can get them immediate financial gain, like credit card information and cryptocurrency wallets.”
The Cybereason analysis notes that Raccoon has already infected “hundreds of thousands” of devices. Another report by Recorded Future finds that Raccoon remains one of the top selling malware rentals within underground forums.