Malicious software called Racoon, which is relatively new to the dark web forums, can extract sensitive data from around 60 applications.
In the deepest layers of the web one can find anything that has to do with malware. The market there is constantly changing and so on malware which a few years ago were expensive, today they are available for a modest price, compared to what they can offer and the very rich set of features they have. Racoon also falls into this category. A malware that first appeared almost a year ago and quickly gained popularity due to its generous features and subsequent low price.
It is also known as Legion or Mohazo or Racealer. The Racoon malware was initially only available on Russian-language Dark Web forums, but soon made its way into the English-speaking world. It first appeared in April 2019 and was distributed as a MaaS model (malware-as-a-service = malware for rent) for $ 75 / week or $ 200 / month.
With these money, attackers gain access to a Racoon control panel that allows them to customize it to their liking, access stolen data, and download malware builds.
This model is widely adopted today, because it opens the door to a larger number of customers who want to try their luck as cyber criminals, but many of whom do not have the appropriate technical knowledge, but thus can depreciate the business.
Μια ανάλυση από την CyberArk διαπίστωσε ότι είναι γραμμένο σε C ++ και απέχει πολύ από το να είναι ένα πολύπλοκο εργαλείο. Ωστόσο, μπορεί να κλέψει ευαίσθητες και εμπιστευτικές πληροφορίες από σχεδόν 60 προletterτα (προγράμματα περιήγησης, πορτοφόλια κρυπτογράφησης, ηλεκτρονικό ταχυδρομείο και πελάτες FTP).
All popular browsers (Google Chrome, Mozilla FirefoxMicrosoft Edge, internet explorer, Opera, Vivaldi, Waterfox, SeaMonkey, UC Browser) are in its target list, stealing cookies, history and autofill information.
Στο στόχαστρο είναι επίσης και οι cryptocurrency εφαρμογές όπως το Electrum, Ethereum, Exodus, Jaxx και Monero, στις οποίες ψάχνει για τα αρχεία πορτοφολιού στις προεπιλεγμένες τους θέσεις. Ωστόσο, το Racoon μπορεί επίσης να σαρώσει το σύστημα για να αρπάξει αρχεία wallet.dat ανεξάρτητα από το πού αποθηκεύονται.
In the email category, Racoon searches for data in at least Thunderbird, Outlook and Foxmail. In a report today, CyberArk researchers report ότι αυτός ο “κλέφτης πληροφοριών” uses την εξής διαδικασία για να κλέψει τα δεδομένα: εντοπίζει και αντιγράφει τα αρχεία με τις ευαίσθητες πληροφορίες, εφαρμόζει σε αυτά ρουτίνες αποκρυπτογράφησης και μετά τα τοποθετεί τις πληροφορίες σε ένα αρχείο κειμένου. Αφού εκπληρώσει όλες τις δυνατότητες κλοπής του, συγκεντρώνει όλα τα αρχεία που έγραψε στο φάκελο temp σε ένα αρχείο zip που ονομάζεται Log.zip. Στην συνέχεια αποστέλλει το Log.zip σε ένα C&C server.
Malware add-ons include system detail collection (operating system version and architecture, language, hardware information, list of installed applications).
Attackers can also customize the Raccoon configuration file to take pictures of the screens of infected systems. In addition, the malware can act as a dropper for other malicious files, effectively turning it into a stage-one attack tool.
Like all popular malware, Racoon is actively improving with fixes for various issues, new features and capabilities.
Analyzing a sample, the researchers noticed that they have released new versions that extend support for targeted applications, adding FileZilla and UC Browser. In addition, the option to encrypt the malware directly from the admin panel and download it in DLL format has been added.
Racoon does not use special techniques to extract information from targeted programs, but it is one of the most popular infostealers in cybercrime forums. THE Recorded Future notes in a report in July 2019 that it had the best-selling malware in the underground economy.
Three months later, the Cybereason researchers announced that the malware enjoyed positive reviews from the community, as many cybercriminals praised and applauded it, but with the biggest names of them criticizing it for its simplicity and lack of features in tools of the same type.
However, despite the simplicity of Racoon, it has spread to hundreds of thousands of computers around the world. This means that technical features are not necessarily what make attackers choose a malicious tool, but essentially a good balance between price, accessibility and capabilities.
