Sophos has released a new report, “Trash Panda as a Service: Raccoon Stealer Steals Cookies, Cryptocoins and More,” explaining how a stealer masquerading as pirated software steals cryptocurrency and information while also dumping harmful material, such as cryptominers, on targeted devices.
“With much of daily and professional life now reliant on services delivered through a web browser, the operators behind information-stealing malware are increasingly targeting stored web credentials that provide access to a lot more than they could get by just stealing stored password hashes,” said Sean Gallagher, a senior threat researcher at Sophos.
“The campaign we’ve been tracking shows Raccoon Stealer grabbing passwords, cookies, and the ‘autofill’ text for websites, including credit card data and other personally identifying information that may be stored by a browser. Thanks to a recent ‘clipper’ update that changes the clipboard or destination information for a cryptocurrency transaction, Raccoon Stealer also now targets crypto-wallets, and it can retrieve or load files – such as additional malware – on infected systems. That’s a lot of stuff that cybercriminals can easily monetize for a service that is ‘rented out at $75 for a week’s use.”
Raccoon Stealer is typically transmitted by spam email. However, in the campaign investigated by Sophos, it was transmitted using droppers disguised as cracked software installers. Raccoon Stealer is bundled with other attack tools, such as malicious browser extensions, YouTube click-fraud bots, and Djvu/Stop, ransomware aimed primarily at home users, in these droppers.
According to Sophos experts, the operators behind the Raccoon Stealer campaign employed the Telegram chat app for the first time for command-and-control communications
“Information stealers fill an important niche in the cybercrime ecosystem. They offer a quick return on investment and represent an easy and cheap entry point for bigger attacks,” said Gallagher.
Also explained, “Cybercriminals often sell stolen identity credentials on ‘dark’ marketplaces, allowing other attackers, including ransomware operators or Initial Access Brokers, to take advantage of them for their criminal intentions – such as breaking into a corporate network through a workplace chat service. Or attackers can use credentials for further attacks targeting other users on the same platform. There is a constant demand for stolen user credentials, especially credentials providing access to legitimate services that attackers can use to easily host or spread more malware. Information stealers may look like lower-level threats, but they’re not.”
Sophos recommends Multi-factor authentication (MFA) for enterprises that utilise online services for workplace chat and collaboration to protect employee accounts and ensure that all employees have up-to-date malware protection on every computer they use to access remote work-related services.
Sophos Intercept X protects users by detecting malware like Raccoon Stealer’s actions and behaviours, such as monitoring abnormal activity in memory and defending against fileless malware.
Sophos recommends installing a security solution such as Sophos Home on the devices they and their families use for online conversations and games to protect themselves and their families from malware and cyberthreats. Avoiding downloading and installing unlicensed software from any source is also a recommended security practice. Always double-check to be sure it’s genuine.
