With business email compromise (BEC) attacks on the rise, cybersecurity researchers have been engaged in efforts to squelch hackers’ tools. Adding new commands to anti-spam filters has proven to be fairly effective in preventing a large portion of these attacks, but cybercriminals should never be underestimated. According to research published by Cofense, there is a new malware dubbed “Raccoon Stealer” that is bypassing anti-spam filters from companies like Symantec and Microsoft.
According to the blog post from Cofense, Raccoon Stealer is a rather simplistic malware that is available on the Dark Web in English and Russian. Additionally, the malware is sold with the promise — as insane as it sounds — with 24/7 customer support. Finally, the malware is versatile and can be employed in multiple fashions. In this particular campaign, which surfaced in April 2019, hackers who use Raccoon Stealer choose to embed it within an .IMG file that is hosted on Dropbox.
Raccoon Stealer’s actual function (or how it bypasses filters) is fairly interesting. Cofense researchers explain the process in the following excerpt from their blog post:
In this most recent campaign, a potentially compromised email account was used to send the email... which managed to make its way past Symantec Email Security and Microsoft EOP gateways without the URL being removed or tampered with to the extent that it would prevent victims from clicking on it and downloading the payload... Although not particularly advanced or subtle with its network activity and processes, the malware can quickly gather and exfiltrate data as well as download additional payloads... The payload URLs currently deliver a set of DLLs, as specified by the “attachment url” and “libraries” parameters, but future development could easily allow threat actors to use Raccoon Stealer as a loader for other malware to generate additional income.
What makes Raccoon Stealer so fascinating is that it is so versatile and yet not the most complex malware. One does not need to be an expert programmer to utilize it, which should worry security professionals. It can be dealt with in its current form, but it is constantly being developed to meet the demands of black hats around the world, so it’s a bit of a moving target. With it being such a lucrative malware for developers and threat actors alike, it is a high possibility that Raccoon Stealer is here for the long haul.
Featured image: Flickr / Goran Vlacic