Raccoon Stealer

Raccoon Stealer: Fast-Spreading Infostealer-as-a-Service with Credential and Wallet Theft

Raccoon Stealer is a Windows-based information stealer that harvests credentials, browser data, crypto wallets, and system information. First appearing in 2019, it quickly became popular in cybercriminal circles due to its ease of use, rental-based model, and consistent updates. Raccoon is typically deployed through phishing emails, malicious websites, and loaders like Smoke Loader and Amadey, and is used in large-scale data harvesting campaigns.

Introduction to Raccoon Stealer

Raccoon is a key player in the malware-as-a-service (MaaS) ecosystem, giving attackers access to a control panel where they can manage infections, view stolen data, and update configurations. It targets data stored in web browsers, email clients, cryptocurrency wallets, and common applications, packaging it and sending it to a command-and-control (C2) server. Despite temporary shutdowns, Raccoon has returned in new versions, remaining a widely used tool in info-theft operations.

---

1. How Raccoon Stealer Works

Infection Mechanism:
Raccoon Stealer is spread through:

• Phishing emails with malicious links or attachments
• Malvertising and fake software installers
• Dropped by other malware like Amadey, Smoke Loader, or exploit kits (e.g., Fallout EK)

Payload Execution:
Once active, Raccoon:

• Collects system information (OS version, IP address, hardware ID)
• Steals saved credentials, cookies, and autofill data from Chrome, Edge, Firefox, and others
• Targets cryptocurrency wallets and browser extensions
• Gathers data from applications like Outlook, Thunderbird, and VPN tools
• Sends the harvested data to the attacker’s C2 panel in compressed form

---

2. History and Notable Campaigns

Origin and Discovery:
Raccoon was first observed in early 2019, quickly gaining attention for its user-friendly backend and low price (approx. $75/week or $200/month). Its development is believed to be linked to Russian-speaking threat actors.

Notable Campaigns:

• Widely used in mass phishing and malvertising campaigns
• In 2022, U.S. law enforcement disrupted Raccoon Stealer infrastructure, but a rebuilt version 2.0 emerged soon after
• Frequently used in conjunction with RedLine Stealer and LummaC2 for layered attacks

---

3. Targets and Impact

Targeted Victims and Sectors:

• Home users, small businesses, and corporate employees
• Systems with weak browser security or no 2FA enabled
• Victims worldwide — no specific region or industry focus

Consequences:

• Account takeover, identity theft, and fraud
• Cryptocurrency theft from hot wallets
• Compromise of work accounts, SaaS platforms, and email systems
• Sold logs used in credential stuffing and follow-up attacks

---

4. Technical Details

Payload Capabilities:

• Collects:
  • Stored passwords and session cookies
  • Autofill data and browser history
  • Cryptocurrency wallet files
  • VPN, email client, and FTP credentials
• Compresses and exfiltrates data to attacker-controlled servers
• Uses uncommon file extensions or naming to evade detection
• In some builds, includes loader functionality to install additional malware

Evasion Techniques:

• Uses packers and crypters to avoid signature-based AV
• Frequently updated to alter behavior and evade sandboxing
• Typically file-based with no kernel-level persistence, making it fast and disposable
• May delete itself after exfiltration to avoid analysis

---

5. Preventing Raccoon Stealer Infections

Best Practices:

• Avoid downloading from unknown links or fake installers
• Don’t store sensitive credentials in browsers — use a dedicated password manager
• Keep browsers, extensions, and antivirus up to date
• Use two-factor authentication (2FA) for all key accounts
• Block known C2 domains using firewall or DNS filtering

Recommended Security Tools:

• Antivirus with behavioral detection and real-time protection
• Email gateways that detect phishing and spoofed attachments
• Endpoint detection and response (EDR) tools with forensic logging
• Browser security tools that monitor for credential access

---

6. Detecting and Removing Raccoon Stealer

Indicators of Compromise (IoCs):

• Suspicious executables in %AppData% or %Temp% folders
• Unexpected outbound connections to encrypted or suspicious URLs
• Missing browser credentials or unusual account activity
• Registry keys or startup tasks linked to random-named executables

Removal Steps:

1. Scan the system with an updated antivirus or EDR solution
2. Remove malicious files and disable persistence entries
3. Reset all credentials and enable MFA on all accounts
4. Notify affected platforms or users of any data breach
5. Monitor logs for signs of secondary infections

Professional Help:
If browser sessions, corporate accounts, or financial platforms were compromised, consider digital forensics or identity protection services.

---

7. Response to a Raccoon Stealer Infection

Immediate Steps:

• Disconnect the device from the network
• Begin incident response to identify scope and lateral movement
• Change all stored passwords from a clean machine
• Notify service providers of any compromised credentials
• Investigate for related malware or follow-up payloads

---

8. Legal and Ethical Implications

Legal Considerations:
Stolen data may include personal or corporate credentials subject to data protection laws like GDPR or CCPA. Organizations may be required to report breaches depending on the type of data exfiltrated.

Ethical Considerations:
Raccoon Stealer plays a central role in data commodification, making it easier for criminals to profit from identity theft. Its ease of use and affordability lower the barrier for abuse, turning average users into viable targets.

---

9. Resources and References

• Malwarebytes Labs: Raccoon Infostealer operator extradited to the United States
• U.S. Department of Justice: Ukrainian National Pleads Guilty to “Raccoon Infostealer” Cybercrime
• Zscaler Blog: Raccoon Stealer v2: The Latest Generation of the Raccoon Family
• Sekoia.io Blog:
  • Raccoon Stealer v2 – Part 1: The return of the dead
  • Raccoon Stealer v2 – Part 2: In-depth analysis
• Acronis MSP Threats Security Team: Raccoon Stealer, A popular and dangerous threat
• MITRE ATT&CK Techniques:
  • S1148 (Malware: Raccoon Stealer)
  • T1555.003 (Credentials from Web Browsers)
  • T1204.002 (User Execution: Malicious File)
  • T1041 (Exfiltration Over C2)
  • T1059 (Command and Scripting Interpreter)

---

10. FAQs about Raccoon Stealer

Q: What is Raccoon Stealer?
A malware-as-a-service info-stealer that harvests passwords, cookies, and crypto wallets from Windows systems. It is also known as Mohazo or Racealer.

Q: How does it infect users?
Via phishing emails, malicious ads, or bundled with other malware like Amadey.

Q: What data does it target?
Browser-stored credentials, autofill data, crypto wallets, and app credentials.

Q: Is it still active?
Yes. Despite takedown efforts, Raccoon re-emerged with version 2.0 and remains in use.

---

11. Conclusion

Raccoon Stealer is a fast, flexible infostealer that exemplifies the malware-as-a-service trend. It has helped thousands of attackers compromise systems with minimal skill and continues to evolve despite law enforcement efforts. Defending against it means using good security hygiene, disabling browser password storage, and deploying modern detection tools that catch threats before they steal sensitive data.

 

 

« Back to the Virus Information Library

« Back to the Security Center