Sophos Reports on Rampant Raccoon Stealer Campaign that Uses Telegram and Adds Cryptomining and Cryptocurrency Theft

Sophos Press Release

Stealer is Delivered to Targets Bundled with Ransomware and Other Malicious Content

OXFORD, U.K. – Aug. 3, 2021 – Sophos, a global leader in next-generation cybersecurity, has published new research, “Trash Panda as a Service: Raccoon Stealer Steals Cookies, Cryptocoins and More,” detailing how a stealer disguised as pirated software grabs cryptocurrencies and information while dropping malicious content, such as cryptominers, on targeted systems.

“With much of daily and professional life now reliant on services delivered through a web browser, the operators behind information-stealing malware are increasingly targeting stored web credentials that provide access to a lot more than they could get by just stealing stored password hashes,” said Sean Gallagher, senior threat researcher at Sophos.

“The campaign we’ve been tracking shows Raccoon Stealer grabbing passwords, cookies, and the ‘autofill’ text for websites, including credit card data and other personally identifying information that may be stored by a browser. Thanks to a recent ‘clipper’ update that changes the clipboard or destination information for a cryptocurrency transaction, Raccoon Stealer also now targets crypto-wallets, and it can retrieve or load files – such as additional malware – on infected systems. That’s a lot of stuff that cybercriminals can easily monetize for a service that is ‘rented out’ at $75 for a week’s use.”

Raccoon Stealer is usually spread by spam email. However, in the campaign Sophos investigated, it is distributed through droppers that the operators disguised as cracked software installers. These droppers bundle Raccoon Stealer with additional attack tools, including malicious browser extensions, YouTube click-fraud bots, and Djvu/Stop, a ransomware targeted primarily at home users.

The operators behind this Raccoon Stealer campaign also used the Telegram chat service for the first time for command-and-control communications, according to Sophos researchers.

“Information stealers fill an important niche in the cybercrime ecosystem. They offer a quick return on investment and represent an easy and cheap entry point for bigger attacks,” said Gallagher. “Cybercriminals often sell stolen identity credentials on ‘dark’ marketplaces, allowing other attackers, including ransomware operators or Initial Access Brokers, to take advantage of them for their own criminal intentions – such as breaking into a corporate network through a workplace chat service. Or attackers can use credentials for further attacks targeting other users on the same platform. There is a constant demand for stolen user credentials – especially credentials providing access to legitimate services that attackers can use to easily host or spread more malware. Information stealers may look like lower-level threats, but they’re not.”

Sophos recommends that organizations that use online services for workplace chat and collaboration use multi-factor authentication (MFA) to protect employees’ accounts and ensure that all employees have up-to-date malware protection on any computer they access remote work-related services from.

Sophos Intercept X protects users by detecting the actions and behaviors of malware like Raccoon Stealer, including scanning for suspicious activity in memory and protecting against fileless malware.

Sophos advises consumers to install a security solution on the devices that they and their families use for online communications and gaming, such as Sophos Home, to protect everyone from malware and cyberthreats. It is also good security practice to avoid downloading and installing unlicensed software from any source. Always check first to make sure it’s legitimate.

Further information on Raccoon Stealer and other cyberthreats is available at SophosLabs Uncut.

关于 Sophos

Sophos 是先进网络安全解决方案的全球领导者和创新者,包括托管式侦测与响应 (MDR) 和事件响应服务,各种端点、网络、电子邮件和云安全技术,帮助企业防御网络攻击。作为最大的纯网络安全供应商之一,Sophos 帮助全球超过 500,000 家企业和超过 1 亿用户抵御主动攻击对手、勒索软件、网络钓鱼、恶意软件等。Sophos 的服务和产品通过 Sophos Central 云管理控制台连接,并得到内部跨领域威胁情报部门 Sophos X-Ops 的支持。Sophos X-Ops 情报优化整个 Sophos Adaptive Cybersecurity Ecosystem 自适应网络安全生态体系,包括一个中央数据湖,为客户、合作伙伴、开发人员和其他网络安全与信息技术供应商提供一组丰富的开放 API。Sophos 为需要全托管并即使可用的安全解决方案的企业提供网络安全即服务,客户还可以直接利用 Sophos 的安全运行平台管理其网络安全,或者采用混合方法,为内部团队补充 Sophos 服务(包括威胁追踪与修复)。Sophos 通过世界各地的经销商合作伙伴和托管服务供应商 (MSP) 销售。Sophos 总部位于英国牛津。如欲了解更多信息,请访问 www.sophos.com