Prague, Czech Republic, March 9, 2022 — Avast (LSE:AVST), a global leader in digital security and privacy, today published an analysis of Raccoon Stealer, a password stealer designed to steal login credentials from email clients and messengers, files from cryptowallets, and install downloader malware capable of installing further malware or install WhiteBackCrypt ransomware. The stealer uses the Telegram infrastructure to store and update command and control (C&C) addresses, from which it receives commands.

Raccoon Stealer’s Capabilities

Avast researchers have found that Raccoon Stealer is spread by downloaders called Buer Loader, but it is also distributed along with fake game cheats, patches for cracked software (including hacks and mods for Fortnite, Valorant, and NBA2K22), or other software. 

Raccoon Stealer is capable of stealing:

• Cookies, saved logins and form data from browsers
• Login credentials from email clients and messengers
• Files from crypto wallets
• Data from browser plugins and extension
• Arbitrary files based on commands from C&C

“Cybercriminals often buy installs, paying to get the malware of their choice loaded on devices by other malware already installed on these devices. They can then provide the same service to others, which is what we believe might be the case with Raccoon Stealer,” commented Vladimir Martyanov, malware researcher at Avast. “What’s interesting about Raccoon Stealer is its use of the Telegram infrastructure to store and update C&C addresses. We assume cybercriminals use Telegram not only because it is convenient but because it is unlikely that the channels will be taken down.”

Avast protects nearly 600,000 users around the world 

Avast blocked the most attack attempts in Brazil, Russia and Argentina. The actors behind Raccoon Stealer try to avoid infecting devices in Russia and Central Asia by checking the language used on the device. If the device is set to Russian or a Central Asian language, the stealer will stop and not perform any malicious activity. The attackers, however, use the spray and pray method to distribute the malware, which means that users in Russia or Central Asia can still come across the malware, and if their device is set to English, by default, their device could be infected. 

From March 3, 2021 - February 17, 2022, Avast protected nearly 600,000 users from Raccoon Stealer attacks. In Russia, Avast protected more than 40,000 users in the same time frame from the threat.

The full analysis of Raccoon Stealer can be found on the Avast Decoded blog: https://decoded.avast.io/vladimirmartyanov/raccoon-stealer-trash-panda-abuses-telegram/