In the deepest layers of the web one can find anything that has to do with malware. The market there is constantly changing and so on malware which a few years ago were expensive, today are available for a modest price, compared to what they can offer and the very rich set of features they have. This category also includes Racoon . One malware which first appeared almost a year ago and quickly gained popularity due to its generous features and subsequently low price.
It is also known as Legion or Mohazo or Racealer. Malware Racoon was initially promoted only on its Russian-speaking forums Dark Web, but soon made its entrance into the English-speaking world. It first appeared in April 2019 and was distributed as a MaaS model (malware-as-a-service = malware for rent) for $ 75 / week or $ 200 / month.
With this money, attackers gain access to a control panel Racoon which allows them to customize it to their liking, gain access to stolen data and download malware builds.
This model is widely adopted today, because it opens the door to a larger number of customers who want to try their luck as cyber criminals, but many of whom do not have the appropriate technical knowledge, but thus can depreciate the business.
An analysis by CyberArk found that it is written in C ++ and is far from being a complex tool. However, it can steal sensitive and confidential information from nearly 60 programs (browsers, encryption wallets, email and FTP clients).
All popular browsers (Google Chrome, Mozilla Firefox, Microsoft Edge, Internet Explorer, Opera, Vivaldi, Waterfox, SeaMonkey, UC Browser) are on its to-do list, stealing cookies, history and autocomplete information.
Also in the spotlight are cryptocurrency applications such as Electrum, Ethereum, Exodus, Jaxx and Monero, in which it searches for wallet files in their default locations. However, the Racoon can also scan the system to grab wallet.dat files regardless of where they are stored.
In the email category, the Racoon searches for data in at least Thunderbird, Outlook and Foxmail. In a report today, CyberArk researchers report that this "information thief" uses the following procedure to steal data: it locates and copies files with sensitive information, applies decryption routines to them, and then places the information in a text file. After completing all its theft capabilities, it gathers all the files it wrote in the temp folder into a zip file called Log.zip. It then sends Log.zip to a C&C server.
Malware add-ons include system detail collection (operating system version and architecture, language, hardware information, list of installed applications).
Attackers can also customize the Raccoon configuration file to take pictures of the screens of infected systems. In addition, the malware can act as a dropper for other malicious files, effectively turning it into a stage-one attack tool.
Like all malicious programs that are very popular, the Racoon actively improves with fixes for various issues, new features and capabilities.
Analyzing a sample, the researchers noticed that they have released new versions that extend support for targeted applications, adding FileZilla and UC Browser. In addition, the option to encrypt the malware directly from the admin panel and download it in DLL format has been added.
The Racoon does not use special techniques to extract information from targeted programs, but is one of the most popular infostealers in cybercrime forums. THE Recorded Future notes in a report in July 2019 that it had the best-selling malware in the underground economy.
Three months later, the Cybereason researchers announced that the malware has received positive reviews from the community, as many cybercriminals praise and applaud it, but with the biggest names, of them, criticizing it for its simplicity and lack of features that exist in tools of the same type.
However, despite its simplicity Racoon , has spread to hundreds of thousands of computers worldwide. This means that technical features are not necessarily what make attackers choose a malicious tool, but essentially a good balance between price, accessibility and capabilities.