Story image

'Trash Panda as a Service' has been upgraded to steal cryptocurrency

06 Aug 2021

Raccoon Stealer, a malware platform that rents out its services for $75 a week, has upgraded its services with an aim to steal cryptocurrency alongside financial information, according to a new report from Sophos.

The stealer disguises itself as pirated software to acquire cryptocurrencies and data while dropping malicious content, such as cryptominers, on targeted systems.

In its report, Trash Panda as a Service: Raccoon Stealer Steals Cookies, Cryptocoins and More, Sophos found that Raccoon Stealer changed its penetration tactic: instead of spreading through spam emails — the usual initial attack vector linked to the malware — it’s now distributed through droppers that the operators disguised as cracked software installers.

These droppers bundle Raccoon Stealer with additional attack tools, including malicious browser extensions, YouTube click-fraud bots, and Djvu/Stop, a ransomware targeted primarily at home users.

“With much of daily life now reliant on services delivered through a web browser, the operators behind information-stealing malware are increasingly targeting stored web credentials that provide access to a lot more than they could get by just stealing stored password hashes,” says Sophos senior threat researcher Sean Gallagher.

“The campaign we’ve been tracking shows Raccoon Stealer grabbing passwords, cookies, and the ‘autofill’ text for websites, including credit card data and other personally identifying information that may be stored by a browser. 

“Thanks to a recent ‘clipper’ update that changes the clipboard or destination information for a cryptocurrency transaction, Raccoon Stealer also now targets crypto-wallets, and it can retrieve or load files – such as additional malware – on infected systems,” says Gallagher.

“That’s a lot of stuff that cybercriminals can easily monetise for a service that is ‘rented out’ at $75 for a week’s use.”

The operators behind this Raccoon Stealer campaign also used the Telegram chat service for the first time for command-and-control communications, according to Sophos researchers.

“Information stealers fill an important niche in the cybercrime ecosystem,” says Gallagher. 

“They offer a quick return on investment and represent an easy and cheap entry point for bigger attacks.”

Cybercriminals often sell stolen identity credentials on ‘dark’ marketplaces, Gallagher says — allowing other attackers, including ransomware operators or Initial Access Brokers, to take advantage of them for their own criminal intentions. This can include breaking into a corporate network through a workplace chat service. 

“Attackers can use credentials for further attacks targeting other users on the same platform. There is a constant demand for stolen user credentials – especially credentials providing access to legitimate services that attackers can use to easily host or spread more malware,” concludes Gallagher. 

“Information stealers may look like lower-level threats, but they’re not.”

Recent stories
More stories