Raccoon Stealer Gets an Update, Propagates Additional Malware
Raccoon Stealer is the name of a crypto currency stealer malware and a platform operated on a malware-as-a-service model by the people running Raccoon. The malware has just received a new update, which security researchers working with Sophos picked apart and published an analysis of their findings.
Racoon Stealer is sold primarily on underground Russian hacking websites and is intended as a quick and easy solution for aspiring hackers who can't really code their own malware from the ground up and are willing to pay to use an existing product. The latest update has changed a number of things about the malware, as outlined by Sophos.
It seems Raccoon Stealer is slowly shifting away from propagation through malicious emails and gradual trying to gain traction in Google search results pages, when the search query concerns cracked or pirated software. This is not the first time malware is found piggy backing in fake paid software cracks, but it shows a considerable amount of effort on part of Raccoon's developers to optimize their malicious pages sufficiently so they rank this high in Google searches similar to "cracked X" or "Y keygen".
Once the fake cracked file is downloaded, victims really execute a dropper. During the infection process, the droppers and executables contained in them fetch self-extracting archive files. Sophos found that those seemed to have signatures originating from tools such as 7zip or WinZip, but the headers of the files have been modified or the signatures have somehow been falsified, as those archive tools cannot open or extract the malicious archives at all.
The different types of ultimate payload that the Raccoon Stealer dropper can deliver varies and includes cryptominer malware, cryptostealers that monitor clipboard strings and replace found wallet strings with those of the hackers, as well as malicious browser extensions.
The clipboard clipper that quietly swaps out wallet strings and effectively redirects any transactions made by the victim to the hackers' wallet is another new addition to Raccoon Stealer's toolkit. Sohos are calling the new clipper module in Raccoon "QuilClipper".
Raccoon Stealer also uses a considerable amount of obfuscation when it comes to sending and receiving data from any infected systems.