Raccoon

Malware Profile Updated 2 months ago
Download STIX
Preview STIX
Raccoon is a type of malware utilized by the Scattered Spider threat actors to obtain sensitive information such as login credentials, browser cookies, and browser histories. The Raccoon Stealer is particularly notorious for its ability to detect countermeasures and delete records associated with those activities, updating the threat actors' dashboard accordingly. This malicious software was analyzed in detail by eSentire Threat Intelligence in August 2022 when Raccoon Stealer v2.0 emerged. The malware has been responsible for several significant cyber attacks around the globe. New versions like Agent Raccoon have targeted regions including the Middle East, Africa, and the US. It's also notable that an operator of the Ukrainian Raccoon Infostealer is currently awaiting trial in the US. Between June 2022 and May 2023, Raccoon was reported as the most common stealer of OpenAI details, causing more than 78,000 infections, surpassing other similar threats like Vidar and RedLine. However, data from Group-IB indicates a shift in the landscape of infostealers between June and October 2023. During this period, LummaC2 became the most common source of infostealer logs containing ChatGPT credentials, with 70,484 cases, while Raccoon and RedLine accounted for less than 23,000 cases each. These stolen credentials were often found for sale on dark web marketplaces, originating from devices infected with infostealers like LummaC2, Raccoon, and RedLine. Cyberint has offered several mitigation and prevention strategies to protect against a Raccoon Stealer infection.
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Raccoon Stealer
5
Raccoon Stealer is a form of malware that was first identified in 2019. Developed by Russian-speaking coders and initially promoted on Russian-language hacking forums, the malicious software was designed to steal sensitive data from victims, including credit card information, email credentials, and
Azorult
3
Azorult is a type of malware, or malicious software, that infiltrates systems to exploit and damage them, often without the user's knowledge. It has historically been one of the favored infostealers sold on the marketplace 2easy, alongside RedLine, Raccoon, Vidar, and Taurus. However, as of late Feb
Raccoon Infostealer
3
The Raccoon Infostealer is a type of malware, specifically designed to infiltrate computer systems and illicitly gather personal information. This malicious software often enters systems through suspicious downloads, emails, or websites without the user's knowledge. Once it has infiltrated a system,
Agent Raccoon
1
Agent Raccoon is a newly identified strain of malware that has been found to target systems in the Middle East, Africa, and the United States. As a malicious software, it is designed to infiltrate computer systems without the user's knowledge, often through suspicious downloads, emails, or compromis
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Malware
Cybercrime
Maas
Infostealer
Ransomware
Credentials
Trojan
Telegram
Youtube
Payload
Exploit
Microsoft
Infostealer ...
Phishing
Windows
Loader
Bot
Fraud
Encryption
Extortion
Exploits
Jira
Moveit
Sandbox
Discord
Ukraine
Linux
Avast
Flashpoint
Remcos
Vulnerability
Rat
XSS (Cross S...
Backdoor
Malware Loader
Scams
Esentire
Bitdefender
Spyware
Exploit Kit
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
RedlineUnspecified
8
RedLine is a notorious malware, discovered in March 2020, designed to exploit computer systems and steal sensitive personal information such as login credentials, cryptocurrency wallets, and financial data. It exports this stolen data to its command-and-control infrastructure. The malware has been u
VidarUnspecified
7
Vidar is a Windows-based malware written in C++, known as an infostealer due to its ability to steal personal information from infected systems. It has been leveraged by cybercriminals alongside other malicious software like Emotet, IcedID, CobaltStrike, SVCReady, CargoBay, Pushdo, Minodo, DiceLoade
NETWIREUnspecified
2
NetWire is a type of malware, specifically a remote access trojan (RAT), that has been utilized for various malicious activities since at least 2014. Initially promoted as a legitimate tool for managing Windows computers remotely, NetWire was quickly adopted by cybercriminals and used in phishing at
Lummac2Unspecified
2
LummaC2 is a relatively new information-stealing malware, first discovered in 2022. The malicious software has been under active development, with researchers identifying LummaC2 4.0 as a dynamic malware strain in November 2023. It's been used by threat actors for initial access or data theft, often
LokibotUnspecified
2
LokiBot is a malicious software, or malware, that was first reported on October 24, 2020. It is designed to exploit and damage computer systems by infiltrating them through suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, LokiBot steals personal information
FormbookUnspecified
2
Formbook is a type of malware, or malicious software, that can infiltrate your computer or device through suspicious downloads, emails, or websites. Once it has infected a system, it can steal personal information, disrupt operations, and potentially hold data for ransom. The individual behind the R
Avemaria/warzoneratUnspecified
2
None
Redline StealerUnspecified
2
RedLine Stealer is a malicious software that was used to exploit and damage computer systems, often infiltrating through suspicious downloads, emails, or websites. In July 2023, Unit 42 conducted an analysis of a RedLine Stealer infection using Wireshark, a network protocol analyzer. The analysis in
DridexUnspecified
2
Dridex is a well-known malware, specifically a banking Trojan, that has been utilized by cybercriminals to exploit and damage computer systems. The malware infiltrates systems through dubious downloads, emails, or websites, often unbeknownst to the user, and can steal personal information, disrupt o
MarsUnspecified
2
Mars is a malicious software (malware) that has been discovered by Trend Micro's Mobile Application Reputation Service (MARS) team. This malware is particularly damaging as it involves two new Android malware families related to cryptocurrency mining and financially-motivated scam campaigns, targeti
LockbitUnspecified
2
LockBit is a type of malware, specifically ransomware, that infiltrates systems to steal data or disrupt operations, often demanding ransom in return for the release of the compromised data. Notable incidents include the LockBit ransomware gang claiming to have stolen and subsequently leaking data f
AgentteslaUnspecified
2
AgentTesla is a well-known remote access trojan (RAT) that has been used extensively in cybercrime operations. It infiltrates systems through various methods, including malicious emails and suspicious downloads. Once inside, it can steal personal information, disrupt operations, or hold data hostage
Lumma StealerUnspecified
1
Lumma Stealer is a malicious software, or malware, that targets cryptocurrency wallets and browser user data. It has been particularly prevalent in the gaming community, with cracked video games and cheating tools often found to contain infostealer malware such as Lumma Stealer and RedLine Stealer.
PrivateloaderUnspecified
1
PrivateLoader is a notable malware that has been active since at least December 19, 2022. It acts as the first step in many malware schemes, often initiating an infection chain that leads to other malicious software. The malware can infiltrate systems through suspicious downloads, emails, or website
QbotUnspecified
1
Qbot, also known as Qakbot or Pinkslipbot, is a modular information-stealing malware that emerged in 2007 as a banking trojan. Over the years, it has evolved into an advanced malware strain used by multiple cybercriminal groups to compromise networks and prepare them for ransomware attacks. The firs
GuLoaderUnspecified
1
GuLoader is a type of malware that infiltrates systems through suspicious downloads, emails, or websites, often unbeknownst to the user. Once inside a system, it can steal personal information, disrupt operations, or even hold data hostage for ransom. GuLoader is encrypted with NSIS Crypter and has
XwormUnspecified
1
XWorm is a multifaceted malware that poses a significant threat to computer systems. It provides threat actors with remote access capabilities, allowing them to exploit vulnerabilities in programs such as ScreenConnect client software. Additionally, XWorm has the potential to spread across networks,
StealcUnspecified
1
Stealc is a malicious software (malware) that specifically targets browser extensions and authenticators by password managers, growing in popularity on the dark web since its discovery in early 2023. It has been associated with significant cyber-attacks, such as the $7 million heist on the Solana bl
AresloaderUnspecified
1
AresLoader is a type of malware that was first advertised for sale on the top-tier Russian-language hacking forum XSS in December 2022 by a threat actor named "DarkBLUP". This malicious software is designed to exploit and damage computer systems, often infiltrating through suspicious downloads, emai
RiseproUnspecified
1
RisePro is a malicious software (malware) that was first discovered in December 2022. After a period of relative inactivity, it resurfaced in July 2023. This malware is designed to exploit and damage computer systems, often infiltrating through suspicious downloads, emails, or websites without the u
DotrunpexUnspecified
1
DotRunpeX is a rapidly evolving and highly stealthy .NET injector malware that has gained significant attention from both security analysts and threat actors. It employs the "Process Hollowing" method to distribute a wide variety of other malware strains, including AgentTesla, ArrowRAT, AsyncRat, Av
AsyncRATUnspecified
1
AsyncRAT is a malicious software (malware) that targets computer systems to exploit and damage them, often infiltrating the system without the user's knowledge through suspicious downloads, emails, or websites. The malware operates by loading an executable which unpacks a DLL in memory, subsequently
TaurusUnspecified
1
Taurus is a malicious software (malware) that has been associated with multiple cyber threat actors, notably Stately Taurus, Iron Taurus, and Starchy Taurus, all of which have connections to Chinese Advanced Persistent Threats (APTs). The malware is designed to infiltrate systems and steal personal
ThirdeyeUnspecified
1
ThirdEye is a type of malware, specifically an infostealer, that has been identified as a significant threat to Windows devices. The malicious software infiltrates systems via suspicious downloads, emails, or websites, often unbeknownst to the user. Once inside, it steals personal information, disru
TitanUnspecified
1
None
Agent TeslaUnspecified
1
Agent Tesla is a form of malware, a malicious software designed to exploit and damage computer systems. It infiltrates the system often without the user's knowledge via suspicious downloads, emails, or websites, with the capability to steal personal information, disrupt operations, or hold data for
FarnetworkUnspecified
1
Farnetwork, a notorious malware operator identified by cybersecurity researchers from Group-IB, has been active in the cybercrime scene since 2019. Known for deploying five different strains of ransomware, including its proprietary strain Nokoyawa, Farnetwork has collaborated with other cybercrimina
Vidar StealerUnspecified
1
Vidar Stealer is a form of malware, a malicious software designed to exploit and damage computer systems. It infiltrates systems through suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, it can steal personal information, disrupt operations, or even hold dat
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
Scattered SpiderUnspecified
2
Scattered Spider is a prominent threat actor group known for its malicious cyber activities. Their modus operandi includes searching SharePoint repositories for information, seeking to maintain persistence on targeted networks, and exfiltrating data for extortion purposes. The group primarily uses p
Orange SpainUnspecified
2
Orange Spain, a major Spanish network provider, was disrupted by a cyberattack on January 3, 2024. The threat actor known as 'Snow' compromised Orange Spain's RIPE account, leading to significant internet outages. This incident underscores the vulnerability of critical internet infrastructure and hi
Muddled LibraUnspecified
1
Muddled Libra is a notable threat actor known for its sophisticated use of cloud services, particularly Amazon Web Services (AWS) and Microsoft Azure, to execute cyberattacks. The group leverages legitimate cloud service provider (CSP) features to efficiently exfiltrate data. In AWS, Muddled Libra t
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
Asyncrat Avemaria/warzoneratUnspecified
1
None
Vidar XwormUnspecified
1
None
Netwire PrivateloaderUnspecified
1
None
Redline RemcosUnspecified
1
None
LamUnspecified
1
LAM, short for Linear Address Masking, is a vulnerability that resides in the software design or implementation of CPUs. The flaw was notably exploited by SLAM (Spectre-based on LAM), the first transient execution attack targeting future CPUs, as outlined by VUSec researchers in their white paper. S
Source Document References
Information about the Raccoon Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
Securityaffairs
4 months ago
Security Affairs newsletter Round 463 by Pierluigi Paganini
Securityaffairs
4 months ago
Security Affairs newsletter Round 462 by Pierluigi Paganini
CERT-EU
4 months ago
ChatGPT credentials snagged by infostealers on 225K infected devices
CERT-EU
4 months ago
Alert: Info Stealers Target Stored Browser Credentials
Securityaffairs
4 months ago
Security Affairs newsletter Round 461 by Pierluigi Paganini
BankInfoSecurity
4 months ago
Alert: Info Stealers Target Stored Browser Credentials
CERT-EU
4 months ago
Ransomware crews lean into infostealers for initial access
CERT-EU
4 months ago
Surge in ransomware, leaks and info stealers targeting Middle East and Africa – Intelligent CIO Middle East | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #ransomware | National Cyber Security Consulting
Securityaffairs
5 months ago
Security Affairs newsletter Round 460 by Pierluigi Paganini
CERT-EU
5 months ago
Alleged Raccoon Infostealer operator extradited, verification site set up for victims - Help Net Security
CERT-EU
5 months ago
Alleged Raccoon Infostealer operator extradited, verification site set up for victims
Malwarebytes
5 months ago
Raccoon Infostealer operator extradited to the United States | Malwarebytes
BankInfoSecurity
5 months ago
Ukrainian Extradited to US Over Alleged Raccoon Stealer Ties
Securityaffairs
5 months ago
A Ukrainian Raccoon Infostealer operator is awaiting trial in the US
Securityaffairs
5 months ago
Security Affairs newsletter Round 459 by Pierluigi Paganini
BankInfoSecurity
5 months ago
Ukrainian Behind Raccoon Stealer Operations Extradited to US
Securityaffairs
5 months ago
Security Affairs newsletter Round 457 by Pierluigi Paganini
Securityaffairs
6 months ago
Security Affairs newsletter Round 456 by Pierluigi Paganini
Securityaffairs
6 months ago
Security Affairs newsletter Round 454 by Pierluigi Paganini
DARKReading
6 months ago
Nigerian Businesses Face Growing Ransomware-as-a-Service Trade