Raccoon Stealer Reappears With a New Version

Background

• Sold previously under the Malware-as-a-Service (MaaS) model on underground forums since early 2019, Raccoon Stealer’s operations suddenly came to a halt on March 25, 2022.
• The operations were suspended due to the loss of a developer in the Russia-Ukraine war.
• At that time, the malware’s profile stated on several forums that it is temporarily unavailable and is in the process of upgrading.

What’s the latest update?

• On June 10, analysts from SEKOIA.IO discovered new activities on servers hosting the malware.
• While searching for the stealer’s administration panels on the Shodan search engine, they found several active servers with a web page named Raccoon Stealer 2.0.
• It is believed that the new version was available on Telegram for sale since May 17.
• Upon further analysis, researchers uncovered a new malware family, named RecordBreaker, which shared similarities with RacconStealer v2. The malware was being distributed in the wild.

Capabilities of Raccoon Stealer v2

• Raccoon Stealer v2 is written in C/C++ using WinApi. The malware downloads legitimate third-party DLLs from its C2 servers.
• The new version borrows many of its capabilities from the original version. These include collecting browser data and system information, capturing screenshots, grabbing files from disks and memory sticks, and harvesting cryptocurrency wallet data, among others.

Summing up