Skip Navigation
BlackBerry Blog
  1. BlackBerry Blog
  2. BlackBerry Prevents: Raccoon Infostealer

BlackBerry Prevents: Raccoon Infostealer

BLACKBERRY SPARK / 09.10.21 / The BlackBerry Research and Intelligence Team

Raccoon Infostealer is an information stealing malware variant made available to subscribers through a Malware-as-a-Service (MaaS) arrangement. It targets Windows® users, seeking out and stealing their stored credentials.

Raccoon’s authors retain full control of its source code and feature development. Through a TOR-based control panel, subscribers have access to a “clean” build, which they can modify to customize its deployed configuration.

Harvested information will likely find value and potential buyers in underground forums hosted on the dark web. Examples of stolen information that could be sold or used for nefarious purposes include: credentials for file hosting that could be used to store and distribute other malware; corporate network access sold to ransomware groups; crypto wallets; and email addresses that could be used to contribute to current or future malspam campaigns.

VIDEO DEMO: BlackBerry vs. Raccoon Infostealer

BlackBerry Cyber Suite and BlackBerry Guard stop these attacks.

BlackBerry customers can feel confident that our AI-driven BlackBerry® Cyber Suite, as well as our Managed Detection & Response (MDR) solution BlackBerry® Guard, are well-equipped to mitigate the risks posed by threat actors such as those behind Raccoon infostealer: 

  • BlackBerry® Protect provides automated malware prevention, application and script control, memory protection, and device policy enforcement. 
  • BlackBerry® Optics extends the threat prevention by using artificial intelligence (AI) to prevent security incidents. It provides true AI incident prevention, root cause analysis, smart threat hunting, and automated detection and response capabilities.  
    • BlackBerry recommends activating the following BlackBerry Optics rules to provide additional telemetry from a Raccoon malware attack:  
      • Win_cmd_cmdc_MITRET1059
      • Win_DelErase_Usage_MITRET1107
  • The BlackBerry® Mobile Threat Defense (MTD) solution prevents and detects advanced malicious threats at the device and application levels. It combines the mobile endpoint management capabilities of BlackBerry® Unified Endpoint Manager (UEM) with advanced AI-driven threat protection, to get in front of malicious cyberattacks in a Zero Trust environment. 
  • BlackBerry® Persona creates trust based on behavior analytics, app usage, and network and process invocation patterns. It uses adaptive risk scoring to provide continuous authentication. 
  • BlackBerry Guard customers are proactively protected from Raccoon malware attacks. Our 24/7 MDR solution customers receive:  
    • Alerts monitored in real-time  
    • Corrective policies applied while discovering gaps in policy implementation  
    • Prioritized threat hunting  
    • The latest threat intelligence for fast-moving threats  

Prevention First

At BlackBerry, we take a prevention-first and AI-driven approach to cybersecurity. Putting prevention first neutralizes malware before the exploitation stage of the kill-chain. 

By stopping malware at this stage, BlackBerry® solutions help organizations increase their resilience. It also helps to reduce infrastructure complexity and streamline security management, ensuring your business, people and endpoints are secure. 

BlackBerry Assistance

The BlackBerry Incident Response team can work with organizations of any size and across any vertical, to evaluate and enhance their endpoint security posture and proactively maintain the security, integrity, and resilience of their network infrastructure. 

For emergency assistance, please email us at DLIR@blackberry.com, or use our handraiser form. 

Learn more about Raccoon Infostealer in our new deep-dive blog, Keep Your Paws Off My Data, Raccoon Infostealer.

Demo Video Transcription

“In this video, we will demonstrate the features of Raccoon, an infostealer offered as a Malware-as-a-Service (MaaS) for criminals. It has the ability to collect the victim’s passwords, cookies, autofill data from all popular browsers, credit card data, cryptocurrency wallets, and more. Typically, it appears as a pirated or cracked version of legitimate software.

In this demo video, we have configured our machine in audit-only mode, so we can execute the same sample we analyzed in more detail on our recent deep-dive Threat Thursday blog for this threat.

Upon execution, you can see how Raccoon is oriented to be a silent malware that does not appear to affect the regular user experience. One of its main features is the ability to run most of its data collection process from memory; with our Memory Protection module we are to intercept this behavior.

If we conduct some root-cause analysis on this event, we can quickly see the process that occurs behind the scenes in memory.

First, it makes a series of DNS requests for its command-and-control server (C2), and as soon as it establishes a connection, migrates into operating system (OS) processes.

Right after that, it starts looking for credential information on any installed Internet browsers as well as collecting information to fingerprint the system, identify running processes, and more.

Administrators can configure BlackBerry Optics’ automated response within our Context-Analysis Engine (CAE) to proactively respond to each one of these tactics, techniques and procedures (TTPs) and stop this threat in the earliest stage possible.

We can also intercept memory access with our Memory Protection module on BlackBerry Protect, but nothing beats our Temporal Predictive Advantage, which allows us to prevent these threats from executing in a matter of milliseconds – with no reliance on cloud connectivity or frequent virus-signature updates.

Let's travel back in time to 2015 (using a Cylance® AI math model not updated since 2015) and test this sample, along with an additional 60+ samples of Raccoon to see what could have happened. We will execute a loop to go ahead and try to execute each file inside this folder.

As you can see, BlackBerry® Protect powered by Cylance AI could have prevented all these variants many years before they ever existed.

Prevention is Possible, with BlackBerry.”
The BlackBerry Research and Intelligence Team

About The BlackBerry Research and Intelligence Team

The BlackBerry Research and Intelligence team is a highly experienced threat research group specializing in a wide range of cybersecurity disciplines, conducting continuous threat hunting to provide comprehensive insights into emerging threats. We analyze and address various attack vectors, leveraging our deep expertise in the cyberthreat landscape to develop proactive strategies that safeguard against adversaries.

Whether it's identifying new vulnerabilities or staying ahead of sophisticated attack tactics, we are dedicated to securing your digital assets with cutting-edge research and innovative solutions.

Back