Racoon Stealer is Back — How to Protect Your Organization

Table of Contents

The Racoon Stealer malware as a service platform gained notoriety several years ago for its ability to extract data that is stored within a Web browser. This data initially included passwords and cookies, which sometimes allow a recognized device to be authenticated without a password being entered. Racoon Stealer was also designed to steal auto-fill data, which can include a vast trove of personal information ranging from basic contact data to credit card numbers. As if all of that were not enough, Racoon Stealer also had the ability to steal cryptocurrency and to steal (or drop) files on an infected system.

As bad as Racoon Stealer might have been, its developers have recently created a new version that is designed to be far more damaging than the version that previously existed.

New Racoon Stealer Capabilities

The new version of Raccoon Stealer still has the ability to steal browser passwords, cookies, and auto-fill data. It also has the ability to steal any credit card numbers that are saved in the browser.

Additionally, the latest version of Raccoon Stealer is far more capable than its predecessor when it comes to stealing cryptocurrency. Not only can Raccoon Stealer attack cryptocurrency wallets, but it also has the ability to attack numerous cryptocurrency-related browser plugins.

The developers of Raccoon Stealer have also enhanced the malware’s ability to harvest file data. Whereas the previous version was eventually enhanced to allow the theft of individual files, the latest version is capable of stealing files regardless of which disk they reside. Additionally, the new version of Raccoon Stealer can capture a list of the applications that are installed on the machine, which can be useful in helping an attacker to know what types of data files might exist and be worth stealing.

Perhaps most disturbingly, Raccoon Stealer is able to capture screenshots from an infected system. Screen captures could be used for a countless variety of nefarious purposes. For example, an attacker could conceivably watch someone enter payment information related to purchase and take a screen capture of the checkout screen, thereby capturing not just a credit card number, but all of the supporting details that might be required in order to use the credit card (such as the card’s security code and the cardholder’s name and address). Of course, a screen capture feature could be used to steal any type of sensitive data and an attacker who has created such a screen capture could use it as the basis for a cyber extortion scheme.

How Can You Protect Your Organization?

Defending yourself against this latest version of Raccoon Stealer largely comes down to adhering to long-established security best practices. For example, you should never click on a link or open an attachment within a message unless you know the sender. Even if you do know the sender, it’s important to take the time to verify a message’s authenticity before clicking on any links or opening attachments. After all, attackers often spoof message headers in a way that makes it appear as though a malicious message was sent by someone that you know. End-user education is vital for your organization, be sure to inform your employees of the do’s and don’ts of online safety.

It’s also extremely important to keep your operating system and your applications up to date with the latest security patches. Similarly, you should avoid running any outdated applications that are no longer being updated. This is especially true for browsers since that Raccoon Stealer’s primary target.

You’ll have to make sure that you have malware protection installed on all of your systems and that this malware protection is being kept up-to-date. Don’t simply assume that updates are being regularly downloaded and installed – take the time to periodically check when the most recent malware signature was added.

Finally, acknowledge the idea that no system is ever 100% immune to malware. In the case of Raccoon Stealer, for example, all it takes is one bad click for a system to become infected. Even a seasoned IT security professional could potentially become a victim if they happened to be distracted for a moment and accidentally click on something they shouldn’t. If that happens, then hopefully, the anti-malware software will prevent the system from becoming infected, but the potential for infection still exists.

How Specops Can Help Protect Against Attacks

The problem with this is that unlike ransomware, which displays a notification banner on the screen of an infected system, Raccoon Stealer tends to be stealthy. You might not immediately know that your system has been compromised. An unconventional yet effective way of detecting such an infection would be to use a security tools like Specops Password Policy.

Specops maintains a database of billions of credentials that are known to have been compromised and can alert users who are using passwords that appear in this database. Being that Racoon Stealer specifically targets cached passwords, it’s likely that passwords that have been stolen during an infection will soon show up on the Dark Web and be added to the Specops database.

This means that even if your anti-malware software does not detect a Racoon Stealer infection, suddenly discovering that your passwords have been compromised is a clear signal that a security incident has occurred.