CyberArk experts warned that the Raccoon malware (aka Legion, Mohazo, and Racealer) steals data from 60 different applications, including popular browsers, email clients, and cryptocurrency wallets.
The Raccoon infostiller arrived in early 2019 and since April has been actively distributed through underground forums using the malware-as-a-service (MaaS) scheme.Late last year, Cybereason Nocturnus researchers noted that the demand for Raccoon on the black market was gradually growing, and as a result, it infected hundreds of thousands of systems in North America, Europe and Asia. Both individuals and organizations became victims of these attacks.
Raccoon has such “advantages” as an easy-to-use control panel, bulletproof hosting and round-the-clock customer support in Russian and English. Moreover, at the time of writing, use of malware costs only $200 per month ($75 per week)”, – reported Cybereason Nocturnus researchers.
Raccoon infiltrates victims’ machines using exploit kits, phishing emails, or with the help of another malware that has already penetrated the system. For example, in 2019, Raccoon was distributed through a set of Fallout exploits.
Now, CyberArk analysts write that Raccoon can hardly be called a complex tool, but it continues to develop rapidly.
For example, Raccoon recently added the ability to steal credentials from FileZilla, were fixed user interface errors, and developers added an option to encrypt user assemblies of malware directly from the UI for subsequent download as a DLL”, – experts of CyberArk write.
As a result, the C ++ malware is currently capable of stealing information from 35 different browsers and overall 60 applications.
Raccoon is able to steal financial and credentials, information about an infected machine (OS version, language used, lists of installed applications, connected equipment, etc.), data from cryptocurrency wallets, and extract information from browsers, including cookies, history and autocomplete.
Among other things, the malware is targeted at almost all major popular browsers: Google Chrome, Google Chrome (Chrome SxS), Chromium, Xpom, Comodo Dragon, Amigo, Orbitum, Bromium, Nichrome, RockMelt, 360Browser, Vivaldi, Opera, Sputnik, Kometa, Uran, QIP Surf, Epic Privacy, CocCoc, CentBrowser, 7Star, Elements, TorBro, Suhba, Safer Browser, Mustang, Superbird, Chedot, Torch, Internet Explorer, Microsoft Edge, Firefox, WaterFox, SeaMonkey and PaleMoon.
Raccoon also tries to hack the mail clients of ThunderBird, Outlook and Foxmail, and looks for Electrum, Ethereum, Exodus, Jaxx, Monero and Bither wallets in the infected system, trying to detect the wallet.dat file and find out the credentials.
For each target application applies the same scheme. The malware steals application files containing confidential data: copies it to a temporary folder, performs information extraction and decryption procedures, writes the result to a separate file, and then transfers it to the management server”, – said CyberArk researchers.
To retrieve and decrypt credentials, Raccoon uses special DLLs: the configuration JSON file contains the URL from where the malware downloads these libraries.
Proactively protecting vulnerable endpoints is critical to improving an organization’s overall security posture.
However, we reported how to detect and get rid of the annoying malware Legion/Raccoon.
