Researchers on Tuesday reported that they have been tracking the activities of Raccoon Stealer, a widely used “stealer-as-a-service” malware.
Sophos researchers said in a blog that the campaign was of interest because as more organizations use web-based applications and services, browser-stored password and authentication cookies have become a prime target for hackers.
According to the researchers, Raccoon Stealer can collect passwords, cookies, and the “autofill” text for websites, including credit card data and other PII that’s potentially stored by the browser. And with a recent update, Raccoon also now targets cryptocurrency wallets and can retrieve or drop files on infected systems.
The malware-as-a-service model has become terrifying as it means there’s a well-run, ever-improving structure designed to compromise low-hanging fruit systems, said Ben Pick, senior application security consultant at nVisium. Pick said while the Raccoon Stealer payloads appear customizable based on the target, the methods of delivery are still mostly through emails.
“Thus, the best protection against this is performing due diligence by not installing or opening files from an email,” Pick explained. “To overcome the initial uncertainty, Raccoon Stealer has also utilized Google optimization to make the files appear more legitimate. Therefore, a cursory Google check no longer suffices to verify whether a document should be opened. The best counter is to not open files received in an email and to use out-of-band communications if it's absolutely necessary to send trusted files to trusted parties.”
Krishnan Subramanian, a researcher at Menlo Security, added that the first tactic seen in this campaign was usage of Google search results to direct victims to downloading malicious payloads. In a recent Gootloader Malware campaign, the Menlo Security team observed a similar tactic that showed the following:
- Attackers are compromising WordPress sites and injecting some popular search terms into compromised pages to artificially increase the page rank in search results, a technique known as SEO poisoning.
- When users search for these terms on popular search engines, the top of the search results show these malicious pages.
- When the user lands on these pages, they are presented with a link which is named after the search term they searched for.
Subramanian said Raccoon Stealer also uses the Telegram messenger for command and control. In the recent ISOMorph campaign, the Menlo Security team found malicious payloads hosted on Discord, another popular cloud messaging app. In the ISOMorph campaign the Menlo Security researchers observed the AsyncRAT tool being delivered via Discord
“Apps like Telegram and Discord have a huge active user base, making these a stealthy option to use for command and control,” said Subramanian.