Posted: 2 Min ReadFeature Stories

Simple Yet Effective, Raccoon Malware Making Inroads among Cyber Criminals

This easy-to-use Trojan malware isn't fancy but it's nonetheless rapidly gaining customers in the cyber underworld

Cyber criminals are generally a more tech savvy lot than they were a decade ago. But they still don’t need PhDs in computer science to wreak havoc.

Case in point: The sharp increase in the number of attacks featuring a relatively basic malware program called Raccoon that cyber criminals have deployed to abscond with the personal financial information of its victims. 

While Raccoon, which first got noticed this past April, may not be the most sophisticated piece of criminal malware ever developed – the code is written in C++ and works on both 32-bit and 64-bit operating systems - it nonetheless gets the job done.

While this easy-to-use Trojan malware isn't fancy but it's nonetheless rapidly gaining customers in the cyber underworld. Once downloaded, Raccoon is able to steal information from browsers, monitor emails and even cryptocurrency wallets.

Cyber researchers say that Raccoon is aggressively marketed for $200 a month on Dark Web forums, where it’s being offered as a `malware-as-a-service' Raccoon against web users. The most recent estimate put the number of victims around the world at around 100,000 – and growing.

While this easy-to-use Trojan malware isn't fancy but it's nonetheless rapidly gaining customers in the cyber underworld.

That’s quite a track record for a piece of malware dismissed by some for having a relatively limited feature set. Despite the reputation issues, Raccoon is a reliable niche weapon that offers a way for nontechnical attackers to get up and running quickly. That’s a big change from the recent past when the biggest risks came from perpetrators who were often more technically advanced than

What’s more, anecdotal testimonials given by traffickers in the underground community suggests that Raccoon’s development team provides reliable customer service. Researchers describe the operation as being responsive with quick replies to questions and comments on underground forums.

It’s still unclear who or what group is behind Raccoon. But there are possible clues about its origins. Once installed, Raccoon connects to a command-and-control server that steals information from the victim machine – but not if it detects language settings on the device set to some eastern European langues. If Raccon finds a match, the malware will abort. 

Raccoon doesn’t include a keylogger – for now, though that may soon change. Raccoon’s development team has responded to forum requests with hints they may include a keylogging future in the near future.

The malware most often gets delivered through the deployment exploit kits, phishing attacks containing an attached Word document, and with bundled malware.

Viewed more broadly, Raccoon’s soaring popularity speaks volumes about the continuing commoditization of malware. In this case, the people who developed the malware wanted to create a platform that was simple, if not bare-boned, when compared to other information stealers.

But don’t make the mistake of treating this as something out of the annals of malware-for-dummies. Whatever feature richness Raccoon may lack is more than compensated by its easy-to-deploy functionality. And the apparently professional nature of its support arms means that cyber criminals can always depend on hand-holding whenever they encounter technical problems.

The malware most often gets delivered through the deployment exploit kits, phishing attacks containing an attached Word document, and with bundled malware. Users can mitigate their risk of infection by applying software security patches when they become available. And as always, common sense is your best friend. So, think two or three times before downloading and opening any attachments sent over the Internet.

You might also enjoy
Threat Intelligence3 Min Read

ISTR 24: Symantec’s Annual Threat Report Reveals More Ambitious and Destructive Attacks

ISTR Volume 24 is here, providing insights into global threat activity, cyber criminal trends, attacker motivations, and other happenings in the threat landscape in 2018.

About the Author

Charles Cooper

Consulting Editor

Charles Cooper has covered technology and business for more than 25 years. He is now assisting Symantec with our blog writing and managing our editorial team.