Raccoon
Malware⚠️ Overview
Raccoon Stealer is an information-stealing malware first identified in 2019 by cybersecurity researchers at Morphisec and later tracked by Intel471. It operates as a malware-as-a-service (MaaS) on underground forums, primarily attributed to Russian-speaking threat actors. It belongs to the infostealer category, designed to harvest credentials, browser data, cryptocurrency wallets, and system information from infected hosts.
🔧 Technical Capabilities
Raccoon Stealer achieves initial access through phishing emails containing malicious attachments or links that download loaders (e.g., VBScripts, PowerShell). It performs extensive data collection from Chromium- and Gecko-based browsers (stored passwords, cookies, autofill data), FTP clients (FileZilla), email clients (Thunderbird), and cryptocurrency wallet extensions. The malware uses a TCP-based command and control (C2) protocol over HTTP POST requests, frequently cycling through domains hosted on bulletproof providers. Persistence is established by writing a copy to the Startup folder or modifying registry Run keys (MITRE ATT&CK T1547.001). Evasion techniques include anti-debugging checks, VM detection via hardware artifacts, and use of process hollowing (T1055.012) to inject into legitimate processes like explorer.exe. Version 2.0, released in 2022 after a law enforcement disruption, introduced encrypted configuration files and modular plugin support for stealing further data types.
📜 History & Notable Incidents
Raccoon Stealer first surfaced on cybercrime forums in April 2019, sold for $200/month for a builder and C2 panel. A major campaign occurred in 2020–2021 targeting e‑commerce credentials and corporate VPN access, with victims spanning finance, retail, and technology sectors. In March 2022, an FBI-led operation (Operation Raccoon) arrested a Ukrainian national known as “Tetra” in the Netherlands, leading to a temporary takedown of the infrastructure; however, within months a second version was released by remaining developers. No specific CVEs are associated with the malware itself, but it often leverages exploits for remote code execution in document formats or browser vulnerabilities.
🔍 Detection Indicators
Known file hashes include SHA256 8a7c9d0e1f2b... (example) from early samples, though hundreds of variants exist. Behavioral signatures include sudden mass file reads from browser profile directories (%LOCALAPPDATA%GoogleChromeUser DataDefaultLogin Data) and creation of mutexes like ChromeMutx or RaccoonMutex. Network IOCs feature C2 domains with patterns such as *.xyz or *.top TLDs and User-Agent strings mimicking Mozilla/5.0 but missing typical headers (e.g., no Accept-Language). Registry keys under HKCUSoftwareMicrosoftWindowsCurrentVersionRun with random names. MITRE ATT&CK software ID S0456 and technique mappings T1005 (Data from Local System), T1055.012 (Process Hollowing), and T1071.001 (Web Protocols).
☠️ Risk & Impact
Raccoon Stealer causes severe data exfiltration, leading to credential theft that enables account takeover, lateral movement, and ransomware deployment. Financial losses from stolen cryptocurrency wallet keys and corporate VPN access have been estimated in the millions of dollars, with affected sectors including e‑commerce, finance, education, and healthcare according to FBI flash alerts. The malware often acts as a gateway for follow‑on attacks such as Ryuk or Conti ransomware.
🛡️ Mitigation
Defenders should enforce multi‑factor authentication, block known C2 domain patterns using threat intelligence feeds, and deploy endpoint detection rules (Sigma or YARA) that monitor for browser credential stealing behavior. Regular patching of browsers and document viewers, along with user awareness training against phishing, reduces initial infection risk. Network‑based detection can focus on anomalous HTTP POST requests to unusual domains with small payloads.
Similar Threats
⚠️
Malware Families Commonly Operate Through Automated Botnets
Many of the malware families catalogued here use bot networks to deliver payloads and scan for exposed servers. Boteraser detects and blocks bot traffic patterns associated with these activities.
Check My Site for FreeFree to start · Cancel anytime
ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.