Tuesday, April 29, 2025
HomeMalwareRussian Hackers Compromised 100,000+ Computers Using Raccoon Malware Via Fallout & RIG...

Russian Hackers Compromised 100,000+ Computers Using Raccoon Malware Via Fallout & RIG Exploit Kits

Published on

SIEM as a Service

Follow Us on Google News

Researchers uncovered an information-stealing malware called Raccoon that delivered by the Fallout and RIG Exploit Kits to steal sensitive data from compromised victims’ devices.

Raccoon malware reportedly hacked more than 100,000 computers around the world since April 2019, and the malware believed to be delivered from a team of Russian hackers.

Malware doesn’t use any stealthy infection technique, and it steals the various sensor data such as important data, including credit card information, cryptocurrency wallets, browser data, and email credentials

- Advertisement - Google News

Malware authors selling the Raccoon malware as a malware-as-a-service model in underground forums, and become one of the top 10 most-referenced malware on the market in 2019.

Also, the actors providing support for the buyer and handling the malware is a quick-and-easy way to make money stealing sensitive data without a huge personal investment.

The raccoon is written in C++ and is developed to compromise both 32 and 64-bit operating systems, and it is mainly used the exploit kits to deliver into victims’ machines.

Researchers from cybereason found a strong indication of this malware that infected hundreds of thousands of endpoints globally across organizations and individuals in North America, Europe, and Asia.

Some indication refers that the malware attribute to the well-known member, glad0ffAlexuiop1337 – authors of predator stealer and the further analyse found Raccoon stealers database in February of 2019 that was created by glad0ff, and the person or team activity advertising this malware in an underground forum.

In an underground forum where this malware being advertised, many individuals write reviews for Raccoon, and the malware authors also have written a detailed write up about the Raccoon in a blog post.

Raccoon Malware Infection Process

Threat actors choose defect medium including exploit kits, phishing attacks, and bundled malware to deliver the Raccoon malware.

Exploit kits are developed to trigger the vulnerabilities in the target system while the victims browsing online and visiting malicious sites from where the exploit code will be delivered into the victim’s devices without any sort of user interaction.

The attacker initially leverages the Fallout exploit kit that helps to spawn the malicious PowerShell script from IE and connect to the remote server to download the main payload.

Raccoon Malware
Fallout exploit kit delivers Raccoon (credits: cybereason )

In another scenario, Attackers using phishing and social engineering techniques to trick users into executing malicious content that delivered via email with an attached malicious word or PDF document.

“attackers use an email with an attached Word document. Upon opening the Word document and enabling macros, the macro code creates a connection to a malicious domain and downloads the main payload of the info stealer.”

Raccoon Malware
Phishing email delivers Raccoon

Once the loader successfully executed in the targeted machine, Raccoon unpacks itself and connect to the c2 server to verify the Raccoon’s Bot ID, it downloads a compressed zip file with multiple different DLLs.

Later it checks the infected device local setting to confirm the language whether it matches the following language: Russian, Ukrainian, Belarussian, Kazakh, Kyrgyz, Armenian, Tajik, and Uzbek. if it doesn’t match then the malware aborts itself.

Finally, its perform various stealing operation such as screen capture of the target machine, collects system information such as username, IP address, language settings, OS version, information on installed apps, and CPU and memory information, stealing the browser information, extract the outlook account information, stealing the cryptocurrency wallets.

“As malware authors choose to develop MaaS, they must partake in many of the same activities as a legitimate SaaS business: marketing efforts, relying on positive reviews, responsive customer support, and regularly improving features in their product. We only expect this trend to continue into 2020 and push the evolution of MaaS forward.”cybereason concluded.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity and hacking news updates.

Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Latest articles

CISA Adds Broadcom Brocade Fabric OS Flaw to Known Exploited Vulnerabilities List

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued an urgent security advisory...

CISA Issues Warning on Commvault Web Server Flaw Exploited in the Wild

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued an urgent alert concerning...

RansomHub Ransomware Deploys Malware to Breach Corporate Networks

The eSentire’s Threat Response Unit (TRU) in early March 2025, a sophisticated cyberattack leveraging...

19 APT Hackers Target Asia-based Company Servers Using Exploited Vulnerabilities and Spear Phishing Email

The NSFOCUS Fuying Laboratory’s global threat hunting system identified 19 sophisticated Advanced Persistent Threat...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

RansomHub Ransomware Deploys Malware to Breach Corporate Networks

The eSentire’s Threat Response Unit (TRU) in early March 2025, a sophisticated cyberattack leveraging...

Advanced Multi-Stage Carding Attack Hits Magento Site Using Fake GIFs and Reverse Proxy Malware

A multi-stage carding attack has been uncovered targeting a Magento eCommerce website running an...

Hannibal Stealer: Cracked Variant of Sharp and TX Malware Targets Browsers, Wallets, and FTP Clients

A new cyber threat, dubbed Hannibal Stealer, has surfaced as a rebranded and cracked...