Three weeks ago, the operators of the Raccoon multifunctional stealer, which was in great demand among the cybercriminal underground, announced the closure of the project due to the death in Ukraine of one of the key members of the group. Judging by the statement of the operators about the impossibility of maintaining and releasing stable versions of malware, the main developer of the program code became a victim of dramatic political events.
We observed the last stealer activity on March 23, 2022, after which Raccoon operators apparently disconnected the management infrastructure and closed the service, which is clearly visible on our radars.
For the first time, malware went into production in April 2019 and has since been leased out using the «MaaS» («Malware-as-a-Service») business model, providing customers with a ready-made management infrastructure and extensive data theft functionality:
- bank cards
- cryptocurrency wallets
- web browsers (cookies and passwords)
- Steam accounts
- Telegram accounts
- FTP clients
In addition, Raccoon was endowed with the functions of loading other malicious modules and executing PowerShell scripts, which made it possible to use a scripted stealer as a tool for initial penetration and fixing in the attacked system.
On the eve of the closure of the project, operators announced the unique at that time possibility of using Telegram channels as C&C servers, which repeatedly increased the stealer's ability to avoid detection by security solutions and its attractiveness among similar competitors.
Impressive functionality, regular updates and round-the-clock support explain the results of our analysis, according to which Raccoon was used even by such cybercriminal groups as EvilCorp (ServHelper), Emotet and QakBot.
But still, stealer's most frequent neighbors on the payload infrastructure were his main competitors on the shop floor - RedLine and Arkei stealers. Obviously, such an arsenal «in one box» allowed attackers to achieve maximum chances of penetration and fixing in systems by combining malicious modules.
Following the standard geopolitical taboos of cybercrime, Raccoon operators, obviously from post-Soviet countries, forbade their clients to use stealer in relation to the infrastructure of companies resident in the CIS countries. Unscrupulous buyers of malware were punished with instant exclusion from the partner program without the possibility of moneyback.
Indeed, in the data collected by our system, we could not detect signs of stealer's presence in the information systems of the former USSR countries, but we managed to identify an impressive list of attacked companies and institutions in other countries, including:
airline in Iceland
cryptocurrency exchange in the USA
ski resort in Canada
construction company in the UK
construction company in France
developers of mobile games and applications in the USA
manufacturer of household appliances in China
network of perfume stores in the USA
advertising agency in Turkey
advertising agency in Spain
restaurant chain in India
hotel in India
car dealer in Germany
university in Germany
However, strict rules did not prevent Raccoon clients from using servers and domains located and registered in Russia as a payload infrastructure. The leading countries in terms of the scale of the infrastructure used to deliver Raccoon samples, along with Russia, included the USA, Germany, the Netherlands and Turkey, which unexpectedly took 3rd place in this anti-rating due to the entire bulletproof file sharing network.
There were no surprises among the TLD zones used. 18% of the total number of Raccoon domains are registered in the XYZ and TOP domain zones popular with cybercrime. What was unexpected was to discover that 3% of stealer's identified payload domains were registered in the TLD zone of Uganda. However, the fact that they were delegated to 1 common server located in the Seychelles indicates a targeted malicious campaign, probably carried out by one of Raccoon's clients in the summer-autumn of 2021 against residents of an African country.
In the vast majority of the cases we identified, Raccoon-stealer's samples were distributed in the form of encrypted executable files, and only in isolated cases there were attempts by cybercriminals to use steganography to hide malicious load in image files.
In 53% of the detected cases, Raccoon service clients used leased private dedicated servers to store malicious samples. However, only 16% of them were delegated domain names to carry out targeted phishing attacks enhanced by social engineering, in most cases related to the distribution of stealer under the guise of free software.
In the remaining 47% of cases, hackers used sites trusted in absentia for security solutions, giving preference to popular file sharing sites. Technically more complex and costly options for distributing malicious samples through compromised legitimate Internet resources using the «Watering Hole» technology are rare. The currently popular method of distributing malware through Discord channels has not been ignored.
Due to the death of the main developer, it is not worth expecting the resumption of the Raccoon service in the near future. Moreover, the probable residence of the main stealer operators on the territory of Ukraine makes the group dependent on the foreign policy situation and shifts the emphasis towards primitive physiological needs.
However, despite the announcement of the closure of the service, the Raccoon partner registration panel continues to function, the official accounts of the group on cybercriminal forums are not blocked. Telegram accounts of the 3 main operators are also showing signs of life. Therefore, we cannot rule out the appearance of a popular stealer on our radars in the future.
In the meantime, we continue to observe how the stealers market is being captured by Raccoon's competitors - RedLine and Arkei.