Racoon Stealer is Back — How to Protect Your Organization


The Racoon Stealer malware-as-a-service platform gained fame a few years ago for its ability to extract data stored in a web browser. This data initially includes passwords and cookies, which can sometimes authenticate a recognized device without entering a password. Racoon Stealer is also designed to steal auto-populated data, including a huge amount of personal information ranging from basic contact information to credit card numbers. As if all that wasn’t enough, Racoon Stealer also had the ability to steal cryptocurrency and steal (or drop) files on an infected system.

As bad as Racoon Stealer may have been, the developers recently created a new version designed to be much more harmful than the version that existed before.

New Racoon Stealer Abilities

The new version of Raccoon Stealer still has the ability to steal browser passwords, cookies, and auto-filled data. It also has the ability to steal credit card numbers stored in the browser.

Moreover, the latest version of Raccoon Stealer is much more capable than its predecessor when it comes to stealing cryptocurrency. Not only can Raccoon Stealer attack cryptocurrency wallets, but it also has the ability to attack numerous cryptocurrency-related browser plugins.

The developers of Raccoon Stealer have also improved the malware’s ability to collect file data. While the previous version was eventually improved to allow for the theft of individual files, the latest version is capable of stealing files no matter what drive they are on. In addition, the new version of Raccoon Stealer can capture a list of the applications installed on the machine, which can be useful to help an attacker know what types of data files may be there and worth stealing.

Perhaps most disturbingly, Raccoon Stealer can take screenshots of an infected system. Screenshots can be used for a myriad of nefarious purposes. For example, it is possible for an attacker to watch someone enter payment information related to the purchase and take a screenshot of the checkout screen, capturing not only a credit card number, but any supporting details that may be needed to use the credit. card (such as card security code and cardholder name and address). Of course, a screen recording feature can be used to steal any type of sensitive data and an attacker who has captured such a screen recording could use it as the basis for a cyber extortion scheme.

How can you protect your organization?

Defending yourself against this latest version of Raccoon Stealer largely comes down to adhering to long-standing security best practices. For example, you should never click a link or open an attachment in a message unless you know the sender. Even if you know the sender, it’s important to take the time to verify the authenticity of a message before clicking links or opening attachments. After all, attackers often fake message headers in a way that makes it look like a malicious message was sent by someone you know. End-user education is essential for your organization, inform your employees about the do’s and don’ts of online security.

It is also extremely important to keep your operating system and your applications up to date with the latest security patches. Likewise, you should avoid running outdated applications that are no longer updated. This is especially true for browsers, as that Raccoon Stealer is the primary target.

You must ensure that malware protection is installed on all your systems and that this malware protection is kept up to date. Don’t just assume that updates are downloaded and installed regularly – take the time to check regularly when the most recent malware signature has been added.

Finally, recognize the idea that no system is ever 100% immune to malware. In the case of Raccoon Stealer, for example, it only takes one bad click for a system to become infected. Even a seasoned IT security professional can become a victim if they get distracted and accidentally click on something they shouldn’t. If that happens, the anti-malware software will hopefully prevent the system from getting infected, but the chance of infection still exists.

How Specops can help protect against attacks

The problem with this is that unlike ransomware, which displays a notification banner on the screen of an infected system, Raccoon Stealer tends to be unobtrusive. You may not know right away that your system has been compromised. An unconventional but effective way to detect such an infection is to use security tools such as Specops Password Policy.

Specops maintains a database of billions of credentials that are known to be compromised and can warn users using passwords that exist in this database. Since Racoon Stealer specifically targets cached passwords, it is likely that passwords stolen during an infection will soon appear on the Dark Web and be added to the Specops database.

This means that even if your anti-malware software doesn’t detect a Racoon Stealer infection, suddenly discovering that your passwords have been compromised is a clear signal that a security incident has occurred.

Test the Specops password policy tools in your Active Directory for free.