Raccoon Password Stealer is Back Again


Raccoon Stealer, one of the most prolific data stealers in digital history is back and more effective than ever.  The re-emergence of the malware, best known for stealing personal information like passwords, files, and biometric data was first spotted by French cybersecurity company Sekoia the last week of June 2022.  According to the firm's analysis, the authors of Raccoon Stealer have rewritten the code from scratch and added screenshot capturing and keystroke logging to its list of capabilities. With the code expected to be released on criminal marketplaces soon, the full impact of its resurgence is yet to be determined.

See:  https://redskyalliance.org/xindustry/raccoon-stealer-returns

The malware also known as Legion, Mohali, and Racealer, Raccoon Stealer is a ransomware application best known for stealing personal user data. The Ukrainian MaaS group first gained notoriety throughout 2021 for spamming malicious links and infiltrating servers.  Raccoon Stealer is an information-stealing trojan distributed under the MaaS (malware-as-a-service) model for $75/week or $200/month. Threat actors who subscribe to the operation will get access to an admin panel that lets them customize the malware, retrieve stolen data (aka logs), and create new malware builds  After a brief but impactful tirade, its lead developer was killed in Russia's invasion of Ukraine, forcing the cyber gang to cease operations.   Security analysts were noticing the malware on hacker forums earlier in June 2022, it appears the group's time off was a brief one.

According to a recent report, the authors of the malware have since improved the trojan's efficiency, performance, and stealing capabilities and have been selling it on Telegram since 17 May 2022.  It appears that the data stealer is still in its workshop phase and is currently only available to a small pool of cybercriminals.  Similar to its predecessor, Raccoon Stealer 2.0 is capable of stealing personal information including passwords, browser cookies, crypto wallet details, geo-location, and autofill data from its victims.  Due to advancements in its code, cybercriminals can also use the malware to access fingerprint information, keystrokes, private screenshots, web browser extension, private files, and data stored in installed apps.

Unlike most trojans, Raccoon transmits data each time it successfully claims an item and does not have any obfuscation techniques.   While this makes the malware easier to spot, it's also recognized to dramatically improve its effectiveness.[1]

Unfortunately, with the new full version of the malware, it is expected to be released in July 2022  and the cyber actors are already distributing the Raccoon Stealer in its current form, researchers fear that the worst may be yet to come.

Data thieves like Raccoon Stealers are becoming more known and active than ever. If your business is serious about tackling these threats head-on, a multi-pronged cybersecurity strategy is needed.  If something does not seem right to you, it is most likely you already have an infection.

Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization.    For questions, comments, or assistance, please contact the office directly at 1-844-492-7225, or feedback@wapacklabs. com    

Weekly Cyber Intelligence Briefings:

Weekly Cyber Intelligence Briefings:

REDSHORTS - Weekly Cyber Intelligence Briefings



[1] https://tech.co/news/raccoon-password-stealer-back-effective


E-mail me when people leave their comments –

You need to be a member of Red Sky Alliance to add comments!

Join Red Sky Alliance