Racoon Stealer as a Service

Raccoon Stealer has been upgraded by its developer in order to steal cryptocurrency alongside financial information. Stealer-as-a-service, a bolt-on for threat actors to use as an additional tool for data theft and revenue. Normally spread not through spam emails the usual initial attack vector linked to Raccoon Stealer but, instead, droppers disguised as installers for cracked and pirated software.

The stealer is being bundled with malware including malicious browser extensions, cryptocurrency miners, the Djvu/Stop consumer ransomware strain, and click-fraud bots targeting YouTube sessions. Monitor for and collect account credentials, cookies, website “autofill” text, and financial information that may be stored on an infected machine.

The upgraded stealer also has a “clipper” for cryptocurrency-based theft targeted by QuilClipper stealer and Steam transactions

The stealer operates through a Tor-based C2 server to handle data exfiltration and victim management. Each Raccoon executable is tied with a signature specific to each client.

Raccoon is offered as a stealer-for-hire, with the developers behind the malware offering their creation to other cybercriminals for a fee. In return, the malware is frequently updated found in Russian underground forums and developer earned roughly $1200 in subscription fees, together with a cut of their user’s proceeds.