Updated on 2022-11-04: Raccoon Stealer v1
Team Cymru’s S2 research team published a report on Thursday on the infrastructure used by the first iteration of the Raccoon Stealer malware. Researchers said that based on their analysis of the malware’s infrastructure, they tracked Raccoon’s server infrastructure to the city of Kharkiv, Ukraine, and also found that payment card data stolen from user systems through the Raccoon malware was sold on CC2BTC, an underground carding marketplace operated by the Raccoon gang themselves. CC2BTC went down in March, just like the entire Raccoon v1 operation, when one of its core devs, a Ukrainian national, was detained in the Netherlands. Read more:
- Inside the V1 Raccoon Stealer’s Den
- Newly Unsealed Indictment Charges Ukrainian National with International Cybercrime Operation
Updated on 2022-10-30: Ukrainian charged for operating Raccoon Stealer malware service
A 26-year-old Ukrainian national is charged over his involvement with the Raccoon data stealer malware, which bad actors can rent access to. The DOJ accuses Mark Sokolovsky of stealing millions of credentials and other forms of ID, such as email addresses, bank accounts and credit card numbers stolen from victims’ machines. The FBI set up a site “Have I Been Pwned”-style to let anyone check if their information was collected as part of the cache. Sokolovsky is currently awaiting extradition to the U.S. in a Dutch prison after he was arrested in March. Read more:
- Ukraine Documenting Russian Hacks, Eyeing International Charges
- US charges Ukrainian national over alleged role in Raccoon Infostealer malware operation
Updated on 2022-10-27: Raccoon Infostealer arrest and indictment
The US Department of Justice announced the March arrest of Mark Sokolovsky, a Ukrainian national for his role in the Raccoon Infostealer malware-as-a-service operation. Sokolovsky was arrested in the Netherlands in March and the FBI, Dutch and Italian authorities concurrently dismantled Raccoon’s infrastructure. Read more: Newly Unsealed Indictment Charges Ukrainian National with International Cybercrime Operation
Updated on 2022-10-26: Raccoon Stealer dev didn’t die in Ukrainian war; he was arrested in the Netherlands
Back in March, the administrator of the Raccoon Infostealer malware announced they were shutting down their service after “a friend and a great developer” who was responsible for maintaining critical parts of their infrastructure had been “lost” following Russia’s invasion of Ukraine, a month earlier.
But—surprise, surprise—it turns out that the developer didn’t die in the war, and he stopped responding to his co-workers because he was arrested in the Netherlands at the request of the FBI.
All of this came to light yesterday when the US Department of Justice unsealed charges against Mark Sokolovsky, 26, a Ukrainian national, for his role in maintaining the Raccoon Infostealer (also known as Raccoon Stealer) malware-as-a-service (MaaS).
The DOJ said that together with Dutch and Italian authorities, the FBI also seized servers operated by the Raccoon gang, effectively taking offline that older version of the Raccoon operation.
The Raccoon gang made a comeback three months later, in June, with version 2.0, most likely after they found a replacement for their “departed” colleague.
DOJ officials said the FBI found approximately 50 million unique user credentials stored on the seized Raccoon Infostealer servers, representing credentials stolen from the browsers of users infected by the Raccoon gang and their MaaS customers.
Authorities said they don’t believe they have the entire list of stolen credentials pilfered by the Raccoon operation, but they are making the entire data set searchable via a dedicated website, so users and companies can see if any of them got infected by the malware in the past and proceed to change credentials.
Updated on September 2022: Raccoon Stealer v2
Security firm CloudSEK published a technical report on the latest version of the RacoonStealer malware, also known as Recordbreaker. Read more: Recordbreaker: The Resurgence of Raccoon
Cybersecurity firm Zscaler published a technical analysis of the Racoon Stealer v2 malware. A similar report is also available from Sekoia.
Updated on June 2022: Raccoon Stealer is back
A new version of the Raccoon Stealer malware, dubbed V2, is being traded on underground cybercrime forums, per S2W Talon. The malware’s creator suspended operations in late March this year, claiming that a key developer died during Russia’s invasion of Ukraine.
Overview: Several new information-stealers pop up in wake of Raccoon’s shutdown
Threat actors are pivoting to several different, new information-stealing malware families in the wake of Raccoon Stealer shutting down. The creators of Raccoon Stealer, a malware available for purchase, announced it was ceasing operations after one of its developers died in the Russian invasion of Ukraie. Taking its place are several different “as a service” tools attackers can purchase access to infect targets and steal their personal information and login credentials. Security researchers have specifically called out FFDroider and Lightning Stealer, of stealing data and launching follow-on attacks by infiltrating the Telegram messaging app. The operators behind another malware, MarsStealer, claim they’ve received an uptick in requests after Raccoon’s shutdown.
