Threat Research

Raccoon | Malware Trends Tracker

Securonix

Raccoon is an information stealer malware distributed as a service with a user-friendly dashboard and frequent updates, enabling attackers to steal data from infected machines. It collects browser passwords, Outlook data, system information, and more, archives it, and sends it to a C2 server, with distribution through Fallout exploit kits, phishing attachments, and social engineering. #Raccoon #Mohazo #Racealer #glad0ff #FalloutExploitKit #ANYRUN

Keypoints

  • Raccoon is a relatively simple information stealer malware offered as a service, enabling non-technical users to deploy it via a configurable dashboard.
  • Core theft capabilities include collecting OS version, IP, username, browser passwords, Outlook data, and cryptocurrency wallets.
  • Data is compiled into a ZIP archive and exfiltrated to the attackers’ server after collection.
  • The threat actor community behind Raccoon has a reputation for ongoing updates and support, contributing to its popularity.
  • Distribution relies on multiple channels: Fallout exploit kit (drive-by infection), macro-enabled Office documents in spam, social engineering to malicious URLs, and bundled software.
  • Indications point to a Russian-speaking origin, with language cues and regional checks, plus Russian/English language support.

MITRE Techniques

  • [T1189] Drive-by Compromise – Fallout exploit kit drives infection without user interaction; “The malware utilizes mainly the Fallout exploit kit. This delivery method makes it possible for the infection to occur even without active user interaction — victims get infected while simply surfing the web.”
  • [T1566.001] Phishing: Attachment – Phishing via Microsoft Office attachments with macros; “The contaminated document contains a macro that downloads the malware when enabled.”
  • [T1566.002] Phishing: Spearphishing Link – Social engineering to lure victims to a malicious URL; “social engineering to trick victims into opening a malicious URL and download the infected file.”
  • [T1105] Ingress Tool Transfer – Malware downloads additional DLL modules after initial access; “downloaded additional modules from the Internet.”
  • [T1113] Screen Capture – Basic data collection includes taking screenshots; “capture screenshots.”
  • [T1082] System Information Discovery – Collecting OS version, IP, and username; “collect basic information like OS version, IP and username.”
  • [T1555.003] Credentials from Web Browsers – Stealing passwords and logins from browsers; “steal passwords and logins from a variety of browsers.”
  • [T1114] Email Collection – Retrieving data from Microsoft Outlook; “retrieve information from Microsoft Outlook.”
  • [T1560.001] Archive Collected Data – Packing collected data into a ZIP archive; “data is packed into a .ZIP archive.”
  • [T1070.004] Indicator Removal on Host – Some versions delete themselves after execution; “some versions of the Raccoon malware delete themselves.”

Indicators of Compromise

  • [File] ZIP archive – data collection results are packed into a ZIP file; data.zip (and related archives)
  • [File] IMG file – malware stored inside a Dropbox-hosted .IMG file; sample.img
  • [Geolocation] Russia, Ukraine, Belarus, Kazakhstan, Kyrgyzstan, Armenia, Tajikistan, Uzbekistan – execution may be blocked or detected based on victim country

Read more: https://any.run/malware-trends/raccoon?utm_source=hacker_news&utm_medium=article&utm_campaign=raccoon&utm_content=mtt