Criminals behind malware dubbed Raccoon Stealer have adopted a simple and effective technique to circumvent Microsoft and Symantec anti-spam messaging gateways. The technique has been used in a recent campaign targeting financial institutions via business email compromise (BEC) attacks.
According to a Cofense report posted Thursday, the malware is delivered inside an .IMG file hosted on a hacker-controlled Dropbox account.
“Using the familiar theme of a wire transfer—closely akin to those often seen in business email compromise scams—the threat actors look to trick users into opening the Dropbox URL and downloading the malicious file,” wrote Cofense authors Max Gannon and Alan Rainer.
What makes the Raccoon Stealer interesting to researchers is that it is new, easy-to-use and under active development by the hackers behind it. Cofense said the malware was first spotted in April of 2019 and since then has been leveraged in several different campaigns.
The malware is sold on underground forums in both Russian and English and includes around-the-clock customer support, Cofense said.
According to research published in October by Cybereason, the malware has infected hundreds of thousands of Windows systems since April. Researchers there said developers behind the Raccoon Stealer charge $200 months for it use.
“In this most recent campaign, a potentially compromised email account was used to send the email,” researchers at Cofense wrote. Those messages managed to make it past Symantec Email Security and Microsoft EOP gateways “without the URL being removed or tampered with to the extent that it would prevent victims from clicking on it and downloading the payload.”
Because of the malware’s flexibility to deliver a variety of payloads the Raccoon Stealer is gaining traction in underground markets, said researchers.
Tricky Raccoons
In previous campaigns, Cofense researchers said the Raccoon Stealer malware has hid inside RFT document attachments and targeted the utilities sector. In those campaigns, adversaries behind the attacks attempted to leverage a known Microsoft Office remote code execution vulnerability (CVE-2017-8570) that dates back to 2017.
“Although not particularly advanced or subtle with its network activity and processes, the malware can quickly gather and exfiltrate data as well as download additional payloads,” researchers wrote.
The Raccoon Stealer malware has also been leveraged by attackers behind the Fallout exploit kit. Over the summer, researchers at Bitdefender observed malicious online ads being used to deliver Raccoon Stealer to vulnerable systems. Exfiltrated from those endpoints were login credentials, auto-fill information and cookies from the Google Chrome and Mozilla browsers. Also stolen were credential for various crypto wallets.
“Given the variety of delivery options, Raccoon Stealer could be a problem for organizations that focus too much on one infection vector,” Cofense researchers said.
Is MFA enough to protect modern enterprises in the peak era of data breaches? How can you truly secure consumer accounts? Prevent account takeover? Find out: Catch our free, on-demand Threatpost webinar, “Trends in Fortune 1000 Breach Exposure” to hear advice from breach expert Chip Witt of SpyCloud. Click here to register.
