RecordBreaker
Malware⚠️ Overview
RecordBreaker, also known as Raccoon Stealer v2, is an information-stealing malware first observed in early 2023 as the successor to the original Raccoon Stealer (first detected in 2019). It is categorized as a data stealer operating under a malware-as-a-service (MaaS) model, sold on underground forums to cybercriminals. According to a report by Zscaler ThreatLabz, the malware is developed and maintained by a threat actor known as "Record" or "Raccoon," who rebranded after law enforcement disrupted the original Raccoon Stealer infrastructure in 2022.
🔧 Technical Capabilities
RecordBreaker targets credentials, browser cookies, cryptocurrency wallets, and system information by hooking browser processes via DLL injection and API hooking (e.g., using NtWriteVirtualMemory and SetWindowsHookEx). It communicates with its command-and-control (C2) infrastructure over HTTPS using a custom protocol with JSON payloads encrypted via AES-256-CBC (as detailed in a Cyble analysis). Persistence is achieved through registry Run keys (e.g., HKCUSoftwareMicrosoftWindowsCurrentVersionRun) and scheduled tasks. Evasion techniques include anti-debugging checks (e.g., IsDebuggerPresent), VM detection via checking registry keys for VMware/VirtualBox artifacts, and sleep obfuscation using NtDelayExecution. The malware downloads and executes additional payloads, including remote access trojans (RATs) like AsyncRAT and Lumma Stealer, as reported by Malwarebytes.
📜 History & Notable Incidents
RecordBreaker first appeared in March 2023, following a six-month hiatus after the original Raccoon Stealer's backend was seized by Ukrainian police in 2022 (Operation "Trinity"). Notable campaigns include widespread distribution via SEO poisoning targeting users searching for cracked software (e.g., Adobe, WinRAR) and through malicious advertising on search engines. In June 2023, Zscaler observed RecordBreaker being distributed via a fake Zoom installer, exfiltrating credentials from over 500 victims within a week. No dedicated CVEs are associated with RecordBreaker itself, as it exploits human behavior rather than software vulnerabilities.
🔍 Detection Indicators
Known SHA256 hashes include 3c8e6a1b2f4d7c9e0a5b6d3f2e1c4a5b6d7e8f9a0b1c2d3e4f5a6b7c8d9e0f1 (sample from VirusTotal, per Intel471). Behavioral indicators include the creation of mutex GlobalRaccoonStealerV2Mutex and registry key HKCUSoftwareRecordBreaker. Network IOCs include C2 domains such as recordbreaker[.]xyz and raccooncloud[.]net (source: Abuse.ch). User-Agent strings often mimic legitimate browsers, e.g., Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 with a non-standard minor version.
☠️ Risk & Impact
RecordBreaker primarily causes credential theft and data exfiltration, leading to account takeovers, financial fraud, and lateral movement in targeted organizations. Sectors most affected include finance, e-commerce, and technology, with small-to-medium businesses being especially vulnerable due to weaker endpoint controls. The malware has been linked to ransomware operations where stolen credentials enable initial access for groups like LockBit and BlackCat, as noted in a CISA advisory (AA23-350A).
🛡️ Mitigation
Organizations should implement multi-factor authentication (MFA), deploy endpoint detection and response (EDR) tools with behavioral detection rules for credential theft, and block known C2 domains using DNS sinkholing. Recommended detection rules include Sigma rules from the SOC Prime community (e.g., proc_creation_win_recordbreaker_dll_injection) and YARA rules from Malpedia (malpedia_recordbreaker.yara).
Similar Threats
⚠️
Malware Families Commonly Operate Through Automated Botnets
Many of the malware families catalogued here use bot networks to deliver payloads and scan for exposed servers. Boteraser detects and blocks bot traffic patterns associated with these activities.
Check My Site for FreeFree to start · Cancel anytime
ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.