Malware authors behind Raccoon Stealer have updated their malware to include a capability allowing it to steal cryptocurrency along with financial information.
Raccoon Stealer is a widely-used information stealing malware, which is run by its developers as a service for other criminals. Controlled from a Tor-based command and control “panel”, the Raccoon infostealer is predominantly advertised on Russian-speaking hacker forums, but also has been spotted in English language forums for as little as $75 for a seven day subscription.
Previously, the malware was mainly spread through spam emails, however, in a recent campaign, observed by Sophos researchers, Raccoon has been delivered via cracked software.
The majority of samples spotted by Sophos were distributed via a single dropper campaign leveraging malicious websites, with the attackers behind the malware utilizing search engine optimization to increase the chances that people looking for a particular software package would visit the malicious sites.
An analysis revealed that the stealer is being bundled with other malware, including malicious browser extensions, cryptocurrency miners, the Djvu/Stop ransomware strain, and click-fraud bots targeting YouTube sessions.
Raccoon can collect passwords, cookies, and the “autofill” text for websites, including credit card data and other personal identifying information that may be stored by the browser. However, recently it has been updated to include a “clipper” malware called QuilClipper, allowing it to steal coins from cryptocurrency wallets.
“QuilClipper steals cryptocurrency and Steam transactions by continuously monitoring the system clipboard of Windows devices it infects, watching for cryptocurrency wallet addresses and Steam trade offers by running clipboard contents through a matrix of regular expressions to identify them,” the researchers said.
Sophos said that over a six-month period, the malware was used to steal over $13,000 in cryptocurrency from its victims, and when bundled with miners, a further $2,900 was stolen.
“It’s these kinds of economics that make this type of cybercrime so attractive—and pernicious. Multiplied over tens or hundreds of individual Raccoon actors, it generates a livelihood for Raccoon’s developers and a host of other supporting malicious service providers that allows them to continue to improve and expand their criminal offerings. And those offerings largely hit consumers—especially, as in this case, when they make use of searches for free versions of commercial software,” the researchers noted.