A newer version of Raccoon Stealer has been released. Dubbed Raccoon Stealer v2, this version is written in C (while the earlier was in C++) and comes with several key differences from its predecessor, except the data-stealing mechanism.
Knowing Raccoon Stealer v2
A technical analysis confirms that the new Raccoon Stealer is a 56KB sample, working on 32 and 64-bit systems without any dependencies, and only downloads eight genuine DLLs from its C2 servers.
The data stolen by Raccoon Stealer v2 are basic system fingerprinting information, information stored in a web browser, cryptocurrency wallets, web browser extensions, and individual files, among others.
The malware sends data every time it collects a new item. This increases the risk of detection, however, works effectively till the time it is spotted and removed from the system.
Raccoon v2, an information stealing malware, was first spotted in June. Experts were already discussing a new malware family on Twitter and assigned the name RecordBreaker. However, they did not realize that it was the next new version of Raccoon Stealer.
A comparison from the previous
A major change is observed in the way list of C2 servers is obtained. The previous version abused Telegram to get a list of C2 servers, which is not the case with the latest version.
V2 uses a hardcoded IP address of a server controlled by attackers to get the list of C2 servers. Subsequently, the next stage payload, mostly DLLs, is downloaded.
The Raccoon Stealer operation shut down in March after one of its lead developers was killed in a Russian invasion. Now it seems, that the remaining team has returned with a second version and is attempting to relaunch the Malware-as-a-Service (MaaS) project on upgraded infrastructure with more capabilities.