Raccoon Stealer has received an upgrade from its developers, and now it can steal cryptocurrency, a new report from Sophos says.
Raccoon Stealer (also known as Legion, Mohazo, and Racealer) used to be a trojan-type application that stealthily collects personal information. It is part of a so-called stealer-as-a-service scheme, where any aspiring cyber criminal can purchase a subscription and generate revenue from stolen data. Now they can steal funds as well.
The Sophos team tracked a new campaign that used droppers that were disguised as cracked software. The stealer was bundled with various types of malware, such as cryptocurrency miners and the Djvu/Stop consumer ransomware strain. It is also being used to carry out attacks targeting YouTube users with click-fraud bots.
The rogue program steals account credentials, cookies, website “autofill” text, and other sensitive information, including financial information.
After the upgrade, Raccoon Stealer got a “clipper” for hijacking cryptocurrency-based transactions. Attackers also used the QuilClipper tool for extracting the victim’s credentials, wallets, and Steam-based transaction data, researchers said.
“QuilClipper steals cryptocurrency and Steam transactions by continuously monitoring the system clipboard of Windows devices it infects, watching for cryptocurrency wallet addresses and Steam trade offers by running clipboard contents through a matrix of regular expressions to identify them,” the researchers noted.
The stealer uses a Tor-based command-and-control server for data exfiltration. Each Raccoon executable is signed with a specific signature unique to each client.
“If a sample of their malware shows up on VirusTotal or other malware sites, they can trace it back to the customer who may have leaked it,” Sophos says.
Raccoon has been spotted in various underground forums in Russia and for the last few years, in English language forums. It’s usually for a low price.
The researchers said that using Raccoon, the thieves were able to steal over $13,200 in cryptocurrency from their victims. And its developer has earned around $1200 in subscription fees.
“It’s these kinds of economics that make this type of cybercrime so attractive — and pernicious,” Sophos says. “Multiplied over tens or hundreds of individual Raccoon actors, it generates a livelihood for Raccoon’s developers and a host of other supporting malicious service providers that allows them to continue to improve and expand their criminal offerings.”