Hackers are now using the RIG Exploit Kit to deliver not Raccoon Stealer as they did it before, but the Dridex banking trojan.
Bitdefender Cyber Threat Intelligence Lab first spotted this trend in January 2022. According to the researchers, this switch was caused by a temporary cessation of Raccoon Stealer’s activity in February when one of its developers was killed in the Russian invasion of Ukraine.
First observed in April 2019, Raccoon Stealer is written in C++. It targets a critical vulnerability in Internet Explorer (CVE-2021-26411), which leads to a remote code execution. The malware is able to steal credit card data, email credentials, cryptocurrency wallets, and other sensitive information. The info stealer is distributed as a MaaS (malware-as-a-service) for $200 per month. Its operators provide their subscribers with an automated backend panel, bulletproof hosting, and 24/7 support.
Despite the fact that Raccoon Stealer is no longer operational, the hackers behind this new RIG Exploit Kit campaign decided not to stop their operation and quickly replaced it with the Dridex banking trojan.
The Dridex malware first appeared in 2012, and by 2015 had become one of the most prevalent banking trojans. It operates from multiple modules, which are capable of capturing screenshots, acting as a virtual machine, or incorporating the victim machine into a botnet. Dridex can also steal data from browsers, detect access to online banking applications and websites, and inject keyloggers.