Karlston Posted February 28, 2020 Share Posted February 28, 2020 Raccoon malware affects all browsers Subscription-based malware targets at least 60 applications including 35 browsers (Image credit: Andriano.cz / Shutterstock) Despite its expensive price and subscription-based business model, the Raccoon malware has grown increasingly popular among cybercriminals due to its ability to target at least 60 applications including most popular browsers. The Raccoon infostealer, also known as Racealer, has gained a following on underground hacking forums as a result of its aggressive marketing strategy, use of bulletproof hosting and easy-to-use backend. This malware was first discovered last year by security researchers at the firm Cybereason and it costs $200 a month. What sets Raccoon apart from other malware is the fact that it employs a subscription-based business model that includes technical support, bug fixes and updates. It also allows cybercriminals to steal data and cryptrocurrency from a wide range of browsers and other applications. Raccoon malware New analysis of Racoon by Cyberark has revealed that the malware, which is able to steal data from 35 browsers and 60 applications overall, is usually delivered through phishing campaigns and exploit kits. Fraudulent emails containing Microsoft Office documents filled with malicious macros are sent out to potential victims in phishing campaigns while exploit kits are typically hosted on websites and victims are profiled for any potential browser-based vulnerabilities, before being redirected to the appropriate exploit kit to leverage them. The Raccoon malware is able to steal financial information, online credentials, data from user's PCs, cryptocurrencies and browser information such as cookies, browsing history and autofill content. The malware targets Google Chrome, Internet Explorer, Microsoft Edge and Firefox as well as many lesser known browsers. Raccoon can also compromise email clients such as ThunderBird, Outlook and Foxmail, among others. Cryptocurrencies stored on users' systems are also at risk as the malware seeks out Electrum, Ethereum, Exodus, Jaxx, Monero and Bither wallets by scanning for their default application folders. The Raccoon malware isn't likely going away any time soon as it recently received a number of updates from its creators according to Cyberark's blog post on the matter, which reads: “Similar to other “as-a-service” offerings, Raccoon is still being developed and supported by a group. Since we started the analysis of this sample, the Raccoon team members have improved the stealer and released new versions for the build, including the capability to steal FTP server credentials from FileZilla application and login credentials from a Chinese UC Browser. In addition, the attacker panel has been improved, some UI issues were fixed and the authors added an option to encrypt the builds right from the panel and downloaded it as a DLL.” Source: Raccoon malware affects all browsers (TechRadar) Link to comment Share on other sites More sharing options...
duddy Posted February 29, 2020 Share Posted February 29, 2020 Raccoon Malware Steals Your Data From Nearly 60 Apps An infostealing malware that is relatively new on cybercriminal forums can extract sensitive data from about 60 applications on a targeted computer. The malware scene is constantly changing and what used to be top of the line a few years ago is now available for a modest price by comparison and a much richer set of features. Raccoon infostealer was observed in the wild for the first time almost a year ago and has gained quickly gained in popularity due to its low price and generous features Unsophisticated yet good enough Also known as Legion, Mohazo, and Racealer, the malware was initially promoted only on Russian-speaking forums but it soon made its entrance in the English-speaking space. The malware was first seen in the wild April 2019 and it is distributed under the MaaS (malware-as-a-service) model for $75/week or $200/month. For this money, the attackers get access to an administration panel that lets them customize the malware, access stolen data, and download the builds of the malware. This model is widely adopted today because it opens the door to a larger number of cybercriminal customers, many lacking the proper technical knowledge but compensating in business experience. An analysis from CyberArk found that it is written in C++ and is far from being a complex tool. However, it can steal sensitive and confidential information from almost 60 programs (browsers, cryptocurrency wallets, email and FTP clients). All the popular browsers (Google Chrome, Mozilla Firefox, Microsoft Edge, Internet Explorer, Opera, Vivaldi, Waterfox, SeaMonkey, UC Browser) are on the list of targets along with more than 20 other solutions, which are robbed of cookies, history, and autofill information. Hot cryptocurrency apps like Electrum, Ethereum, Exodus, Jaxx, and Monero, are of interest, searching for their wallet files in the default locations. However, Raccoon also can scan the system to grab wallet.dat files regardless of where they are stored. From the email client software category, Raccoon looks for data from at least Thunderbird, Outlook, and Foxmail. In a report today CyberArk researchers say that this infostealer relies on the same procedure to steal the data: locate and copy the file with the sensitive info, apply extraction and decryption routines, and placing the info in a text file ready for exfiltration. Additional capabilities in the malware include collecting system details (OS version and architecture, language, hardware info, enumerate installed apps). Attackers can also customize Raccoon's configuration file to snap pictures of the infected systems' screens. Additionally, the malware can act as a dropper for other malicious files, essentially turning it into a stage-one attack tool. This type of malware is not necessarily used for immediate benefits as it is useful for increasing permissions on the system or for moving to other computers on the network. "After fulfilling all his stealing capabilities, it gathers all the files that it wrote to temp folder into one zip file named Log.zip. Now all it has to do is send the zip file back to the C&C server and delete its trace" - CyberArk Like all malware riding the popularity wave, Raccoon is actively improved with fixes for various issues, new functions, and capabilities. While analyzing one sample, researchers noticed new versions being released, which extended support for targeted apps, adding FileZilla and UC Browser, and adding the option to encrypt malware builds straight from the administration panel and getting them in DLL form. Raccoon does not use any special techniques to extract information from targeted programs, yet it is one of the most popular infostealers on cybercriminal forums. Recorded Future notes in a report from July 2019 that it was one of the best selling malware in the underground economy. Three months later, researchers at Cybereason also note that the malware was enjoying positive reviews from the community, many actors praising and endorsing the malware. Established members, though, criticized its simplicity and lacking in features present in tools of the same feather. However, despite its simplicity, its infection count is at hundreds of thousands of computers across the world. This shows that technical features are not necessarily what attackers are after when choosing a malicious tool but a good balance between price, accessibility, and capabilities. "What used to be reserved for more sophisticated attackers, now even novice players can buy stealers like Raccoon with the intention of getting their hands on an organization’s sensitive data" CyberArk Among the delivery methods used for Raccoon, security researchers observed it being dropped via exploit kits, phishing, and PUA (potentially unwanted applications). CyberArk's report today comes with indicators of compromise (IoC) and a YARA rule to catch a Raccoon infection. Source Link to comment Share on other sites More sharing options...
Karlston Posted February 29, 2020 Author Share Posted February 29, 2020 Similar topic merged from Mobile News. (Original article's "Racoon" misspelling means Search wouldn't have seen this existing "Raccoon" topic. Spelling corrected in above post.) Link to comment Share on other sites More sharing options...
duddy Posted March 1, 2020 Share Posted March 1, 2020 15 hours ago, Karlston said: Similar topic merged from Mobile News. (Original article's "Racoon" misspelling means Search wouldn't have seen this existing "Raccoon" topic. Spelling corrected in above post.) Yeah, spelling glitch would have mislead the 'search' query to return misleading information. Thanks! Link to comment Share on other sites More sharing options...
duddy Posted March 2, 2020 Share Posted March 2, 2020 RACCOON BANKING MALWARE THREATENS USERS OF CHROME, FIREFOX AND EDGE Cyberark security researchers are warning from the resurgence of the banking malware Raccoon. The latter is enjoying growing popularity on hacking forums. It can steal banking and crypto-currency data by exploiting flaws in Chrome, Edge, Firefox… – more than 35 browsers and 60 applications in total, including email clients. The services of this malware are rented on the dark net. This malware first discovered in 2019 is like Cerberus, a malware as a Service (MaaS). In other words, a malicious program whose users hire the services with a complete package, available from $200 per month. And this is one of the reasons to fear it right away: anyone can indeed use it for a fee. RACCOON MALWARE: 35 BROWSER AND 60 PROGRAMS AFFECTED The hackers who maintain it provide a protected hosting space for the control server, with an intuitive interface. But also technical support and regular updates. At this price, it is not the cheapest option for beginner pirates, but Cyberark researchers note that it is the simplest and most complete. Especially since this banking malware is more sophisticated than the other examples detected in nature. Raccoon can indeed exploit vulnerabilities in 35 browsers and 60 programs in total, including: Google Chrome Chromium Xpom Comodo Dragon Amigo Orbitum Brom nichrome RockMelt 360Browser Vivaldi Opera Sputnik Kometa Uran QIP Surf Epic Privacy CocCoc CentBrowser 7Star Elements TorBro Suhba Safer Browser Mustang Superbird Chedot Torch Internet Explorer Microsoft Edge Firefox Waterfox SeaMonkey PaleMoon Thunderbird Outlook Foxmail The main factor of infection is phishing campaigns and exploit kits. Malicious e-mails generally contain an attachment, often an office document containing a malicious macro. Once launched, the malware copies the files containing sensitive data (mainly access to cryptocurrency wallets, cookies, history and autofill content) to a temporary folder, then extracts and decrypts the data before sending it to the so-called “Control and command server”. Researchers say the malware can easily steal crypto from the following wallets: Electrum, Ethereum, Exodus, Jaxx, Monero, and Bither. Development around Raccoon remains very active. So that there is not necessarily an effective method of protection, except to be particularly wary with emails with attachments. A complete analysis of the malware and its risks is available on the Cyberark website. Source Link to comment Share on other sites More sharing options...
Karlston Posted March 3, 2020 Author Share Posted March 3, 2020 Similar topic merged. (Search would have found this topic) Link to comment Share on other sites More sharing options...
3175x175(CURRENT).thumb.jpg.b05acc060982b36f5891ba728e6d953c.jpg)
Recommended Posts
Archived
This topic is now archived and is closed to further replies.