Raccoon Stealer Malware: Inquisitive Intruder

by Dominic Tory, SOC Analyst Published on: 18th November 2022
Raccoon Stealer Malware: Inquisitive Intruder

The New Generation Raccoon Stealer Malware-as-a-Service is Making The Rounds

‘As-a-service’ type cybercrime has been widely prevalent of the past few years, with threat actors often opting for a subscription-based approach for their malicious tools and services using affiliates.

These subscriptions often come with affordable pricing and professional support and help services, guiding affiliates through their use of the tool or service, to distribute to and compromise their targets and ultimately receive a cut of any ransom, or the exfiltrated data for use in further attacks.

A malware-as-a-service, Raccoon Stealer, appeared on underground hacker forums in early 2019, created by aptly named creator raccoonstealer, which harvests credentials on the target system. The credential access tool is available for around $200 per month and has infected over 100,000 devices to date. Although a simple tool, it is well known for its user-friendly experience and high-quality affiliate support and being able to steal from a wide range of common applications.

However, it was speculated that the creator was killed in the Russian invasion of Ukraine, with the project ending in March 2022. Four months later, in July 2022, a new and improved version of the malware (v2) appeared. Now named RecordBreaker, the malware went viral and has seen extensive adoption, having stolen around 50 million unique credentials around the globe. The malware has made the news again recently with the arrest of a developer behind the program.

Credential access is a common tactic amongst threat actors, with the end goal of accessing as many credentials and as much sensitive information as possible using techniques such as keylogging, cookie extraction, and theft of credentials from password stores such as web browser profiles.

Beware of the Raccoon

RecordBreaker may achieve initial access on a system by phishing with malicious documents containing the exploit, or user execution of free and cracked software bundled with it. The malware has de-obfuscation capabilities for configuring exfiltration with command & control (C2), with encryption (RC4) and encoding (base64) working in tandem with payload strings, a common function in malware.

Once active on a system, sections of the payload are de-obfuscated to identify C2 infrastructure. The malware then performs process discovery for privilege checking and queries the registry on the infected machine to identify the MachineGuid and collects the username. This data is formatted by concatenation and shipped off to a C2 server over HTTP, where the server responds with additional information and instruction for the malware to perform the following types of actions:

  • Discovery of user information
  • Discovery of system information for hardware/software configuration
  • Discovery of files, directories, and applications for theft sources

RecordBreaker then harvests and exfiltrates information automatically such as browser passwords, autofill data, credit cards, cryptocurrency wallets, and application data. It can also perform screen capture and exfiltrate any file matching a given pattern, making it a much more potent malware in comparison to the first version. The malware can then be used to stage additional payloads on the victim.

Detection and Prevention

A RecordBreaker sample, as shown on VirusTotal, is detected by the vast majority of security vendors and sandboxes. Additionally, we have visibility of the IP addresses the sample attempts to contact during its execution, one of which is marked as malicious, albeit only by nine vendors at the time of writing. This is useful data to be able to pivot to in order to investigate its C2 infrastructure.

The SEKOIA.IO CTI team has produced a YARA rule to detect RecordBreaker’s decryption algorithm and string de-obfuscation routine.

Because this, and other malware alike, are often distributed using social engineering via phishing, it is imperative users undergo awareness training.

“Users, consumer or corporate, should avoid storing passwords in browsers due to their easily accessible nature” [quote format on blog to highlight]

Instead a reputable, encrypted-in-storage password manager should be opted for. Additionally, cookies should be cleared from browsers when not in use.

RecordBreaker can be inadvertently downloaded by the victim via a web browser, where it can be found bundled in free or cracked software. Here, along with user training, web filtering and file sandboxing should prevent users from reaching malicious and suspicious websites, and from being able to retrieve files to their machine without them undergoing analysis.

Whilst RecordBreaker is not stealthy and can easily be detected by an updated anti-malware product, other malware can use complex defence evasion techniques to avoid basic anti-malware solutions, whereas an EDR product should be implemented to detect malicious and suspicious behaviours. A security information and events management (SIEM) solution can assist in the detection of hidden threats, that have not been discovered by traditional security tooling.

Additionally, next-generation firewalls (NGFW) can be loaded with known indicators of compromise (IOC) to prevent attacks at the network border before they can reach users, including file hashes, IP addresses, and domains, related to malicious tools and linked C2 infrastructure.


We Can Help

We take a multi-layered managed service approach to prevention, leveraging extended detection and response (XDR) technologies with trained SOC professionals to provide comprehensive protection, from assessment & compliance, and detection and response, to remediation and incident response.

Get in touch with us to discuss how we can help to prevent known and unknown threats from compromising your business:

By phone – 0800 404 8888

By email – enquiries@communicate.technology

Speak to our engineers and experts.