Raccoon Stealer, a type of malware designed to illegally obtain passwords, has come back with a vengeance. The malware has returned on hacker forums within the dark web with a new and improved version. Dubbed Racoon Stealer 2.0, the malware now offers threat operators elevated operational capacity and upgraded credential-stealing capabilities.

Credential-theft malware raises its head

The Raccoon Stealer malware operation temporarily terminated earlier this year in March. One of the group’s operators stated that the reason for shutting down was linked to one of its lead developers being killed in the Russian invasion of Ukraine.

However, the remaining members of the operation promised to come back with another version of Racoon Stealer, and to relaunch the MaaS (malware-as-a-service) project with additional functionality on an upgraded infrastructure.

According to security analysts based at London’s Sekoia, the threat actors have now made good on their promises, as Raccoon Stealer 2.0 is currently being promoted on dark web forums, allowing early samples to captured by cybersecurity analysts.

On June 2, project admins released a teaser that informed the cybercriminal community that the Racoon Stealer 2.0 testing had been underway for a fortnight. The post added that the beta testing had been well received by its clients.

Designed for advanced password theft

According to the authors of the malware, the latest edition of Raccoon Stealer was built entirely from scratch and employs C/C++. It now features a brand-new front and back-end, and upgraded code designed to steal user credentials, along with other types of data.

On June 8, cybersecurity analysts on social media platform Twitter discussed a new malware strain that had been recently detected and named it “RecordBreaker”. The analysts were unaware at the time that it was, in fact, the second iteration of Raccoon Stealer.

Technical analysis conducted by the team at Sekoia has now confirmed that the 56 KB sample discussed is the new edition of Raccoon Stealer and can work on both 64 and 32-bit systems without dependencies and by fetching only eight legitimate DLLs from the operation’s command and control (C2) servers.

The C2 additionally provides the credential-stealing malware with its specific configuration (URLs hosting the DLLs, applications to target and data exfiltration token), receives device fingerprint data and then awaits individual POST requests containing the stolen information.

The user data that has been stolen so far by Raccoon Stealer 2.0 includes saved credit card details, cookies, browser passwords, auto fill data, basic system fingerprinting information, screenshot capturing, lists of installed applications and individual files that are located on all disks. It can also steal cryptocurrency extensions for web browsers and wallets such as MetaMask, BinanceChain, TronLink, Ronin, Atomic, Exodus, JaxxLiberty, Coinomi, Binance, Electrum-LTC, Electrum and ElectronCash.

The operators behind Raccoon Stealer have claimed that the exfiltrated data is also being encrypted; however, Sekoia did not observe any such functionality in the sample its team analysed.

Raccoon Stealer’s absence from the dark web market has been exceptionally short, ensuring that neither interest in its malicious product or its reputation has declined.