Security experts from online platform Zscaler have published an analysis of the new variant of the known Raccoon Stealer malware.
Writing in an advisory last Friday, Zscaler said the new version of the malware is written in C, unlike previous versions which were mainly written in C++.
Raccoon Stealer 2.0 features a new back-end and front-end, and code to steal credentials and other data more efficiently.
The novel version of the credential stealer can also work on 32 and 64-bit systems without the need for any extra dependencies, instead fetching eight legitimate DLLs directly from its C2 servers (instead of relying on Telegram Bot API).
The C2 is also responsible for the malware’s configuration, including apps to target, URL hosting the DLLs, and tokens for data exfiltration. The servers then receive machine fingerprint data and wait for individual POST requests containing stolen information.
The types of data stolen by Raccoon Stealer 2.0 reportedly include system fingerprinting info, browser passwords, cookies, autofill data and saved credit cards, cryptocurrency wallets, files located on all disks, screenshots and installed application lists.
“We have also seen a change in how Raccoon Stealer v2 hides its intentions by using a mechanism where API names are dynamically resolved rather than being loaded statically,” Zscaler wrote.
For context, the Raccoon Stealer operation reportedly shut down in March 2022, following the death of one of the lead developers during Russia’s invasion of Ukraine.
The team then wrote on dark web forums saying they would return, according to an analysis from security analysts at Sekoia, with a blog post on an undisclosed dark web forum suggesting the Raccoon Stealer 2.0 was already under development in May.
“Raccoon Stealer sold as Malware-as-a-Service has become popular over the past few years, and several incidents of this malware have been observed,” reads the Zscaler analysis.
“The Authors of this malware are constantly adding new features to this family of malware. This is the second major release of the malware after the first release in 2019. This shows that the malware is likely to evolve and remain a constant threat to organizations.”