Racoon malware found stealing data from multiple apps

News by Rene Millman

Around 60 apps at risk of data slurp by criminals by malware dubbed Racoon which has been discovered to extract data from up to 60 applications.

An information stealer piece of malware has been discovered to extract data from up to 60 applications. Dubbed Racoon, the malware  is used to steal sensitive and confidential information including login credentials, credit card information, cryptocurrency wallets and browser information.

In a blog post, researchers at Cyberark said that while the malware was first discovered in April 2019, it has been developing ever since, gaining more features and lowering its cost to cyber-criminals, making it more popular.

Priced at US$ 200 (£155) per month, customers can adapt the malware to suit their needs through an admin panel. This means that the malware is open to those whose technical skills aren’t on a par with criminal developer skills.

Researchers said that the Raccoon stealer is written in C++ and delivered using exploit kits and phishing campaigns.

It targets  29 chromium-based browsers including Google Chrome and Opera that have the same folder structure and share a similar codebase, which leads to a similar way of handling sensitive data. 

The stealer also relies on the same methodology for Mozilla based applications. “Because these applications have the same method and folder structure, the stealing techniques for the applications are the same. The only difference is the names,” said researchers. 

When looking for cryptocurrency wallets, Racoon targets popular applications like Exodus, Jaxx and others. “Like most stealers, Raccoon is looking for those wallet files in the default application locations, but it also has a wallet scanning feature that allows it to grab any wallet.dat file,” added researchers.

Adam Palmer, technical director at Tenable, told SC Media UK that while this is a serious risk, it is also a well-known, commonly used, malware type.  

“Racoon has previously been used to exploit well known flaws to install on user machines. The reason for the malware’s popularity is not because it is advanced or complex.  It is used because it is inexpensive to purchase, simple to deploy, and relatively easy to customise. This allows a malware attacker to target the increasing number of applications on user devices,” he said.

"Organisations continue to embrace applications and other third party platforms to provide additional functionality for system users. This expanded attack surface must be secured with the same basic standards as traditional IT environments.  Minimum security standards include assessing user applications and actively patching known vulnerabilities targeted by malware."

Yuki Arbel, VP of product management at Hysolate, told SC Media UK that malware such as Raccoon can infiltrate your system in lots of different ways and take charge of your sensitive assets. 

“It is nearly impossible to protect a general-purpose OS against all attack vectors through which malware infections can occur. An effective solution would be to isolate the OS where your day-to-day activities take place and make your sensitive assets accessible only through a separate OS which is completely locked down and segregated. Even in the likely event of malware infection on your day-to-day OS, your sensitive assets would still be safe, as the OS they can be accessed from would be invisible to the attacker,” he said.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews