Bad actors can use a variety of malware to steal sensitive information from unsuspecting victims.
And since user information has become a commodity, hackers see this as an opportunity to conduct some business on their own. One of which, is by distributing a malware called the 'Raccoon Stealer', using MaaS (Malware-as-a-Service) strategy.
First discovered back in April 2019, the cost for using Raccoon is $200 per month, according to the researchers at endpoint security solutions provider Cybereason on a blog post.
Following the MaaS business model, the hackers offer 24×7 customer support to community questions and comments, using the Telegram “glad0ff.”
It even has features like an easy-to-use automated backend panel.
This “gladoff” actor has been previously linked to a variety of malware like the Decrux and Acrux cryptominers, the Mimosa RAT and the ProtonBot loader, Cybereason said.
The malware is suspected to from Russia, and has been found to be aggressively marketed in underground forums.
The malware is often distributed through phishing attacks using social engineering tricks, bundling the malware into legitimate software put on sketchy websites, and security exploits.
In order to deliver Raccoon, attackers leverage the Fallout exploit kit to spawn a PowerShell instance from Internet Explorer, and subsequently download the main payload of the infostealer.
Upon successful installation, the malware establishes a connection with its Command-and-Control (C2) server to transfer user data, which includes:
- Screenshots of what is displayed on the victims' computer.
- System information, such as username, IP address, language settings, OS version, information on installed apps, and CPU and memory information.
- Browser information, such as login credentials, cookies, and autofill data.
- Microsoft Outlook account data, including sensitive information stored in Mail clients, such as usernames and passwords.
- Cryptocurrency wallets.
- Credit card information.
But that only happens if the victims device language settings are not set to Russian, Ukrainian, Belarussian, Kazakh, Kyrgyz, Armenian, Tajik, or Uzbek.
After successfully gathering and uploading all of the victims' sensitive data, Raccoon deletes its binary to cover its tracks.
Raccoon has limited features, a relatively low success rate for infection at about 45%, bugs, some missing information or version compatibility issues in its stealing modules.
But still in general, it has.received positive reviews from the underground community.
Probably this is because Raccoon is much like any other software-as-a-service, as it is active in development.
The development team behind the malware seems to be quick, responsive, and dedicated, using short development cycles to release updates, bug fixes, and new features within days.
"Raccoon Stealer may not be the most innovative infostealer on the market, it is still gaining significant traction in the underground community. Based on testimonials from the underground community, The Raccoon team provides reliable customer service to give cybercriminals a quick-and-easy way to commit cybercrime without a huge personal investment," said the researchers.
The developers of the malware are also highly active in underground communities under the username "raccoonstealer", and frequently post replies to the communities.
With that said, many in the underground community believe that the malware that lacks in features, sophistication, or innovation, can make up for its disadvantages with the developers providing consistency, an impressive level of service, support, and quality user experience.
As explained by the researchers at Cybereason:
"The attacks are yet another sign that threat actors are actively exploiting software vulnerabilities and phishing techniques to distribute and install malware. It’s therefore very important that you patch your systems on a timely basis to stay protected from such attacks."
Further reading: 'Raccoon' Malware Haunts Users In More Than 35 Browsers And 60 Apps, Researchers Said