Despite its expensive price and subscription-based business model, the Raccoon malware has grown increasingly popular among cybercriminals due to its ability to target at least 60 applications including most popular browsers.
The Raccoon infostealer, also known as Racealer, has gained a following on underground hacking forums as a result of its aggressive marketing strategy, use of bulletproof hosting and easy-to-use backend. This malware was first discovered last year by security researchers at the firm Cybereason and it costs $200 a month.
What sets Raccoon apart from other malware is the fact that it employs a subscription-based business model that includes technical support, bug fixes and updates. It also allows cybercriminals to steal data and cryptrocurrency from a wide range of browsers and other applications.
New analysis of Racoon by Cyberark has revealed that the malware, which is able to steal data from 35 browsers and 60 applications overall, is usually delivered through phishing campaigns and exploit kits.
Fraudulent emails containing Microsoft Office documents filled with malicious macros are sent out to potential victims in phishing campaigns while exploit kits are typically hosted on websites and victims are profiled for any potential browser-based vulnerabilities, before being redirected to the appropriate exploit kit to leverage them.
The Raccoon malware is able to steal financial information, online credentials, data from user’s PCs, cryptocurrencies and browser information such as cookies, browsing history and autofill content. The malware targets Google Chrome, Internet Explorer, Microsoft Edge and Firefox as well as many lesser known browsers. Raccoon can also compromise email clients such as ThunderBird, Outlook and Foxmail, among others.
Cryptocurrencies stored on users’ systems are also at risk as the malware seeks out Electrum, Ethereum, Exodus, Jaxx, Monero and Bither wallets by scanning for their default application folders.
The Raccoon malware isn’t likely going away any time soon as it recently received a number of updates from its creators according to Cyberark’s blog post on the matter, which reads:
“Similar to other “as-a-service” offerings, Raccoon is still being developed and supported by a group. Since we started the analysis of this sample, the Raccoon team members have improved the stealer and released new versions for the build, including the capability to steal FTP server credentials from FileZilla application and login credentials from a Chinese UC Browser. In addition, the attacker panel has been improved, some UI issues were fixed and the authors added an option to encrypt the builds right from the panel and downloaded it as a DLL.”