Sophos reports on Rampant Raccoon Stealer campaign that uses Telegram and adds cryptomining and cryptocurrency theft
Stealer is delivered to targets with ransomware and other malicious content
OXFORD, UK, 03 Aug 2021 (GLOBE NEWSWIRE) – Sophos, a global leader in next-generation cybersecurity, has released new research, “Trash Panda as a Service: Raccoon Stealer Steals Cookies, Cryptocoins and More”, detailing how a thief disguised as pirated software grabs cryptocurrency and information while dropping malicious content, such as cryptominers, on targeted systems.
“While much of daily and professional life now depends on services delivered through a web browser, the operators behind information theft malware are increasingly targeting stored web credentials that give access to much more than they could get by simply stealing stored password hashes, ”said Sean Gallagher, senior threat researcher at Sophos.
“The campaign we are tracking shows that Raccoon Stealer recovers passwords, cookies, and ‘autofill’ text for websites, including credit card data and other personally identifying information that may be stored by a browser. Thanks to a recent ‘clipper’ update that changes the clipboard or destination information for a cryptocurrency transaction, Raccoon Stealer now also targets crypto wallets and can retrieve or upload files – such as additional malware – on infected systems. This is a lot that cybercriminals can easily monetize for a service that is “rented” at $ 75 for a week of use. “
Raccoon Stealer is usually spread by spam email. However, in the campaign Sophos investigated, it is distributed via dropper operators disguised as cracked software installers. These droppers bundle Raccoon Stealer with additional attack tools including malicious browser extensions, YouTube click fraud bots, and Djvu / Stop, a ransomware aimed primarily at home users.
The operators behind this Raccoon Stealer campaign also used the Telegram chat service for the command and control communications for the first time, according to Sophos researchers.
“Information thieves occupy an important niche in the cybercrime ecosystem. They offer a quick return on investment and are an easy and inexpensive entry point for larger attacks, ”said Gallagher. “Cybercriminals often sell stolen credentials in ‘dark’ markets, allowing other attackers, including ransomware operators or initial access brokers, to take advantage of it for their own criminal intentions,” such as for example entering a company network via a chat service in the workplace. Or attackers can use the credentials for other attacks targeting other users on the same platform. There is a constant demand for stolen user credentials, especially credentials that allow access to legitimate services that attackers can use to easily host or distribute more malware. Information thieves may sound like lower-level threats, but they aren’t.
Sophos recommends that organizations that use online services for chat and workplace collaboration use multi-factor authentication (MFA) to protect employee accounts and ensure all employees have protection against up-to-date malware on any computer from which they access remote work-related services. .
Sophos Intercept X protects users by detecting the actions and behaviors of malware such as Raccoon Stealer, including scanning for suspicious activity in memory and protecting against fileless malware.
Sophos advises consumers to install a security solution on devices they and their families use for online communications and gaming, such as Sophos Home, to protect everyone from malware and cyber threats . It is also recommended to avoid downloading and installing unlicensed software from any source. Always check first to make sure it is legit.
More information on Raccoon Stealer and other cyber threats can be found at SophosLabs Uncut.
Tactics, Techniques and Procedures (TTPs) and more for different types of ransomware can be found on SophosLab Uncut, the Sophos latest threat intelligence site.
Information on attacker behavior, incident reports and tips for security operations professionals can be found at Sophos News SecOps
To help stop ransomware attacks, read the top five indicators that an attacker is present
Learn more about Sophos’ Rapid Response service which captures, neutralizes and investigates attacks 24/7
Top four tips for responding to a security incident from Sophos Rapid Response and the Managed Threat Response Team
Read the latest security news and advisories on the award-winning Sophos Naked Security news site and on Sophos News
Connect with Sophos on Twitter, LinkedIn, Facebook, Spiceworks and YouTube
Sophos is a global leader in next-generation cybersecurity, protecting more than 500,000 organizations and millions of consumers in more than 150 countries from today’s most advanced cyber threats. Leveraging threat intelligence, AI and machine learning from SophosLabs and SophosAIs, Sophos offers a wide range of advanced products and services to secure users, networks and endpoints against ransomware, software malware, exploits, phishing, and the wide array of other cyberattacks. Sophos provides a single integrated cloud management console, Sophos Central – the centerpiece of an adaptive cybersecurity ecosystem that includes a centralized data lake that leverages a rich set of open APIs available to customers, partners, developers and other vendors cybersecurity. Sophos sells its products and services through reseller partners and Managed Service Providers (MSPs) around the world. Sophos is headquartered in Oxford, UK. More information is available at www.sophos.com.
CONTACT: Contact: Brandon Reid, [email protected]