Raccoon Stealer Returns from Hiatus with Updated Version

On August 14, 2023, the threat actor managing Raccoon Stealer announced the return of the tool after a six-month break, as well as an updated version 2.3.0 with updates based on “feedback and analysis of customer requirements and market trends.”

Context

On August 15, 2023, researchers at Cyberint reported technical details of a resurgent campaign involving the Raccoon Stealer malware after a significant hiatus. Raccoon Stealer is a prominent tool sold as a service to threat actors to leverage in stealing victim credentials and cryptocurrency information.

Technical Details

Cyberint researchers outlined new features of the Raccoon Stealer malware version:

• “Quick search for cookies and passes – The new Raccoon admin panel introduces a new way to search for URLs in the latest version.
• Automatic bot blocking and panel display – A new system is now added to the infostealer to detect unusual activity patterns, such as multiple accesses from the same IP address or range.
• Reporting System – This feature was added to block IP Addresses used by crawlers and bots often used by Security Practitioners to monitor Raccoon Traffic
• Log Statistics – With this, any Threat Actor who purchases the Raccoon Stealer can see the top countries by the number of logs, as in the first versions of our stealer.”

Mitigation Options

Cyberint researchers provided the following defense recommendations:

• “Develop and enforce a comprehensive security policy that outlines best practices for employees, including guidelines on password management, email usage, and software updates.
• Provide regular security awareness training to employees to educate them about the risks of infostealer malware, phishing attacks, and safe online practices.
• Implement robust endpoint security solutions, including advanced antivirus and anti-malware software, to detect and prevent infostealer infections on devices used within the organization.
• Ensure that email security controls are applied to limit the delivery of potentially malicious attachments or links to end-users, as well as implementing protocols and security controls such as DKIM, DMARC and SPF.
• Enforce using MFA for accessing sensitive systems and applications, adding an extra layer of security even if credentials are compromised.
• Develop and regularly update an incident response plan that outlines the steps to take in case of an infostealer malware incident. This plan should include isolation, containment, eradication, and recovery procedures.
• Conduct regular security audits and assessments to ensure that your security practices align with industry standards and regulation.
• Those using cryptocurrencies should consider the use of hardware-based wallets and ensure that payment addresses are verified before submitting a transaction.”

IOCs

Cyberint researchers provided the following IOCs: