Racoon: Infostealer type of malware including crypto currency wallets

[TravelMug]

A good read about this type of infostealer in the wild, including targeting specific crypto wallets:

Raccoon targets 29 chromium-based browsers including Google Chrome, Opera, etc. (full list below) that have the same folder structure and share a similar codebase, which leads to a similar way of handling sensitive data. The sensitive data in those browsers is saved in the same format and the “User Data” application folder contains the SQLite databases. Most of the stealers, like Raccoon, perform SQL queries using sqlite3.dll in order to get the user autologin passwords, credit card information, cookies and browser history.

Hard to get around with this since everyone uses some chromium-based browsers.

The stealer also relies on the same methodology for Mozilla based applications. Because these applications have the same method and folder structure, the stealing techniques for the applications are the same. The only difference is the names. The stealer targets four Mozilla-based browsers including Firefox and SeaMonkey, (full list below) and one Mozilla-based email client, ThunderBird. For those applications, the stealer extracts and decrypts sensitive data like username and password, cookies and history. It is important to mention that Raccoon also supports an older version of Mozilla based applications – it supports Firefox versions <32, for example. In order to do so, Raccoon downloads a zip file containing a lot of DLLs for decrypting protected data. By using functions from nss3.dll, the malware is able to decrypt and extract the data from the SQLite databases and the  JSON login file.

And so as Mozilla based applications itself. They have the capability to extract and decrypt the data itself, pretty scary.

When looking for cryptocurrency wallets, Racoon targets popular applications like Exodus, Jaxx and more. Like most stealers, Raccoon is looking for those wallet files in the default application locations, but it also has a wallet scanning feature that allows it to grab any wallet.dat file.

Now this is our main concern here, it has also the ability to scan for crypto related wallets such as wallet.dat file and other web-based and online wallets. We can only equipped as much knowledge as we can and educate ourselves so that we can't be the next victims of this cyber criminals. Do everything on your end to prevent this, I'm sure everyone here has each own security measures, but I would just like to remind everyone to be very sensitive of the sites we are visiting and this kind of attack vectors are usually started with some form of phishing.

https://www.cyberark.com/threat-research-blog/raccoon-the-story-of-a-typical-infostealer/

[1715240131]

1715240131

[1715240131]

1715240131

[1715240131]

1715240131

[Baofeng]

As I have said in the past, this is going to be a continuous cat-and-mouse game for everyone involved in crypto. Lots of malware are being born every minutes and it's really hard for us to really protect ourselves from this online thieves.

Education is a must, if you see that your browser is asking for updates, then check them out and see if there is an official releases. Usually those releases are meant to combat new forms of malware.

[squatter]

As I have said in the past, this is going to be a continuous cat-and-mouse game for everyone involved in crypto. Lots of malware are being born every minutes and it's really hard for us to really protect ourselves from this online thieves.

It's not that hard. Most attack vectors are defeated by offline key storage.

You can use a watching-only wallet on your online computer and sign your transactions offline. You could also use a hardware wallet -- the Ledger Nano S is under $60 now.

[Saint-loup]

As I have said in the past, this is going to be a continuous cat-and-mouse game for everyone involved in crypto. Lots of malware are being born every minutes and it's really hard for us to really protect ourselves from this online thieves.

It's not that hard. Most attack vectors are defeated by offline key storage.

You can use a watching-only wallet on your online computer and sign your transactions offline. You could also use a hardware wallet -- the Ledger Nano S is under $60 now.

But here, the malware steals your logins and passwords from all the exchanges you are using, so even if you safely use a cold wallet, you can lose your funds stored on those exchanges...

snip

Unfortunately it doesn't explain how the malware decrypts the datas.  There is a weakness somewhere in these browsers if a malware is able to do that alone. 

[squatter]

It's not that hard. Most attack vectors are defeated by offline key storage.

You can use a watching-only wallet on your online computer and sign your transactions offline. You could also use a hardware wallet -- the Ledger Nano S is under $60 now.

But here, the malware steals your logins and passwords from all the exchanges you are using, so even if you safely use a cold wallet, you can lose your funds stored on those exchanges...

We're talking about two different things. I was talking about the wallet stealing aspect of the malware.

If you store cryptocurrency on an exchange, it's obviously not in cold storage. In contrast, private keys held offline are not vulnerable to this malware.

[Saint-loup]

It's not that hard. Most attack vectors are defeated by offline key storage.

You can use a watching-only wallet on your online computer and sign your transactions offline. You could also use a hardware wallet -- the Ledger Nano S is under $60 now.

But here, the malware steals your logins and passwords from all the exchanges you are using, so even if you safely use a cold wallet, you can lose your funds stored on those exchanges...

We're talking about two different things. I was talking about the wallet stealing aspect of the malware.

If you store cryptocurrency on an exchange, it's obviously not in cold storage. In contrast, private keys held offline are not vulnerable to this malware.

Yes it's true, it shows how custodial wallets can be vulnerable. And even non-custodial web wallets if you unintentionally save your private key in your browser. I think a good way to check if you are infected by this kind of malware is to use a honey pot, a decoy wallet with only few cryptos on it.

[Lafu]

You can also look for some Information and research here too :

https://malpedia.caad.fkie.fraunhofer.de/details/win.raccoon

Raccoon is a stealer and collects "passwords, cookies and autofill from all popular browsers (including FireFox x64),
CC data, system information, almost all existing desktop wallets of cryptocurrencies".

Source : https://malpedia.caad.fkie.fraunhofer.de/details/win.raccoon

Remebers me when i started here on the Forum and downloaded a Wallet and this one was infected with some kind of stealer software.
The most of my Wallet Accounts and Exchange Accounts got hacked instant after 5 Min .
Lost a good Amount on that .
2FA and diffrent email adresses for other platforms should be used and for sure check 3 times what and where your download things.

[Saint-loup]

You can also look for some Information and research here too :

https://malpedia.caad.fkie.fraunhofer.de/details/win.raccoon

Raccoon is a stealer and collects "passwords, cookies and autofill from all popular browsers (including FireFox x64),
CC data, system information, almost all existing desktop wallets of cryptocurrencies".

Source : https://malpedia.caad.fkie.fraunhofer.de/details/win.raccoon

Remebers me when i started here on the Forum and downloaded a Wallet and this one was infected with some kind of stealer software.
The most of my Wallet Accounts and Exchange Accounts got hacked instant after 5 Min .
Lost a good Amount on that .
2FA and diffrent email adresses for other platforms should be used and for sure check 3 times what and where your download things.

Wow I wasn't aware of that   When Kenzawak has been hacked the 2nd time, they've also withdrawn all his funds from exchanges and taken control of his email box and btctalk account (to ask for loans)
He didn't understood from where it came, but it's certainly a thing like that, because I saw he didn't hesitate to download and install this kind of things.

[Lafu]

He didn't understood from where it came, but it's certainly a thing like that, because I saw he didn't hesitate to download and install this kind of things.

Its possible that this got happend to him with some kind of stealer like the Racoon.
There are some many diffrent version of it and also so many other stealer software.
Trojan and Malware today also include some thing linke that.

Because it happens to me ages ago thats why i fight about the guys that posting it and spread that kind of things.
So that Users and newbies dont get in trouble or lose there money and thigns like i has done once.