By Sojun Ryu, The Readable
Jun. 16, 2022 8:42PM KST
The operator of Raccoon Stealer, who was out of action since the Russia-Ukraine War began, has recently been confirmed to have returned with an upgraded V2 version. The current V2 version is disguised as a cracked software installation file that was often used in the past V1 distribution.
On March 25, 2022, the operator of Raccoon Stealer announced on a dark web forum that it decided to stop its activity temporarily as a key developer died in the Russia-Ukraine War, and it was difficult to conduct their project on a stable basis. They left a message that they would be back in a few months with an all-new malware stealer, stating that this is not a permanent break, but rather a time for them to work on a second version. During the discontinuation of Raccoon Stealer, new stealers, such as Mars, Eternity, and BlackGuard, filled the void.
On May 17, 2022, the operator of Raccoon Stealer uploaded the details of changes, improvements, prices, etc. to their Telegram channel, along with an announcement that the development of a new version of the stealer was completed. They redeveloped their stealer in all three areas—software, front-end, and back-end—and claimed to have made many improvements on the previous version. In addition, they said that there may be some bugs and failures because it will be released as a beta version. The selling price is slightly higher than the V1, set at $275 per month and $125 per week.
According to analysis by S2W, the Raccoon Stealer's signature is included as ASCII art in the log file, which is generated by the stealer, as it is updated from V1 to V2. The signature includes a raccoon figure and the message “RACCOON STEALER V2.0”. These logs have already begun to be traded and shared among cybercriminals on the deep and dark web.
Furthermore, the format of the setting information, received from the attacker server, was changed from JSON to Custom Format. Some changes were confirmed, such as the addition of browser-based wallet hijacking functions, but the overall behavior does not appear to be significantly different from V1. However, as the operator mentioned, the development is not yet complete, so there is a very high possibility that there will be continuous feature enhancements in the future.
The cover image of this article was designed by Sangseon Kim and Areum Hwang.
Sojun Ryu is a cybersecurity researcher for The Readable. He graduated from the “Best of the Best” next-generation security expert training program (BoB) at the Korea Information Technology Research Institute (KITRI) in 2013, and holds a master’s degree in information security from Sungkyunkwan University in Korea. He worked at KrCERT/CC for seven years, analyzing malware and responding to incidents. He is also one of the authors of "Operation Bookcodes," published by KrCERT/CC in 2020. Recently, Ryu has been focusing on threat intelligence, cybercrime, and advanced persistent threats (APT) by expanding into the deep, dark web with TALON, the Cyber Threat Intelligence group at S2W.