Raccoon malware
Image: Yannick Mennard via Unsplash / The Record

Raccoon Stealer malware back with updated version following administrator arrest

The operators of the infamous Raccoon malware announced their return this week after a six-month hiatus from hacker forums following the arrest of an administrator.

"We are happy to return with new strength and understanding of our mistakes," they said in a statement.

Raccoon is a highly popular info-stealing malware-as-a-service sold on dark web forums. It has been praised for its simplicity and customization.

The malware targets popular browsers and desktop cryptocurrency wallets to steal passwords, cookies, and credit card numbers. It can also download files and capture screenshots on victims’ computers.

Last October, the U.S. indicted one of the “key administrators” of the malware, Ukrainian citizen Mark Sokolovsky, and demanded his extradition from the Netherlands, where he was arrested. Dutch officials are likely to honor this request soon as this week they rejected Sokolovsky's appeal against being extradited.

According to a report by Cyberint, which analyzed the malware's latest version, Raccoon administrators have introduced features that make it easier and more convenient to use the tool.

For example, they added a quick search tool to find specific links in large datasets, which will help hackers quickly locate needed information, even when dealing with millions of documents and thousands of different links, according to the researchers.

Another feature detects unusual activity that may come from bots that help cybersecurity firms monitor Raccoon's traffic. If Raccoon identifies suspicious behavior, it automatically deletes records associated with those activities and updates the information on each client pad.

This makes it harder for security tools that use automation and bots to detect the malware, according to Cyberint.

Raccoon operators also added a new panel that gives users an overview of their operations, the most successfully targeted countries, and the number of breached computers.

In the past, Raccoon Infostealer administrators rented out its malware for $200 per month in cryptocurrency to steal data from victims’ computers, including log-in credentials, financial information, and other personal records. The malware is installed on the victims' computers through phishing emails.

The stolen information is then sent to one or more servers controlled by the Raccoon administrators. When the operation is completed, Raccoon deletes itself from the infected computer.

After Sokolovsky's arrest, the FBI collected data stolen from many computers that cybercriminals infected with Raccoon malware.

Law enforcement has identified more than 50 million unique credentials and forms of identification, including email addresses, bank accounts, cryptocurrency addresses, and credit card numbers in the stolen data from millions of potential victims around the world.

Get more insights with the
Recorded Future
Intelligence Cloud.
Learn more.
No previous article
No new articles
Daryna Antoniuk

Daryna Antoniuk

is a reporter for Recorded Future News based in Ukraine. She writes about cybersecurity startups, cyberattacks in Eastern Europe and the state of the cyberwar between Ukraine and Russia. She previously was a tech reporter for Forbes Ukraine. Her work has also been published at Sifted, The Kyiv Independent and The Kyiv Post.