Cybersecurity News that Matters

Cybersecurity News that Matters

Raccoon stealer is back on track

by Sojun Ryu, Areum Hwang, Sangseon Kim

Jun. 16, 2022
11:42 AM GMT+9

The operator of Raccoon Stealer, who was out of action since the Russia-Ukraine War began, has recently been confirmed to have returned with an upgraded V2 version. The current V2 version is disguised as a cracked software installation file that was often used in the past V1 distribution.

Source: S2W

On March 25, 2022, the operator of Raccoon Stealer announced on a dark web forum that it decided to stop its activity temporarily as a key developer died in the Russia-Ukraine War, and it was difficult to conduct their project on a stable basis. They left a message that they would be back in a few months with an all-new malware stealer, stating that this is not a permanent break, but rather a time for them to work on a second version. During the discontinuation of Raccoon Stealer, new stealers, such as Mars, Eternity, and BlackGuard, filled the void.

Source: S2W

On May 17, 2022, the operator of Raccoon Stealer uploaded the details of changes, improvements, prices, etc. to their Telegram channel, along with an announcement that the development of a new version of the stealer was completed. They redeveloped their stealer in all three areas—software, front-end, and back-end—and claimed to have made many improvements on the previous version. In addition, they said that there may be some bugs and failures because it will be released as a beta version. The selling price is slightly higher than the V1, set at $275 per month and $125 per week.

Source: S2W
Source: S2W

According to analysis by S2W, the Raccoon Stealer’s signature is included as ASCII art in the log file, which is generated by the stealer, as it is updated from V1 to V2. The signature includes a raccoon figure and the message “RACCOON STEALER V2.0”. These logs have already begun to be traded and shared among cybercriminals on the deep and dark web.

Source: S2W

Furthermore, the format of the setting information, received from the attacker server, was changed from JSON to Custom Format. Some changes were confirmed, such as the addition of browser-based wallet hijacking functions, but the overall behavior does not appear to be significantly different from V1. However, as the operator mentioned, the development is not yet complete, so there is a very high possibility that there will be continuous feature enhancements in the future.

Subscription

Subscribe to our newsletter for the latest insights and trends. Tailor your subscription to fit your interests:

By subscribing, you agree to our Privacy Policy. We respect your privacy and are committed to protecting your personal data. Your email address will only be used to send you the information you have requested, and you can unsubscribe at any time through the link provided in our emails.

Stay Ahead with The Readable's Cybersecurity Insights