Beware, seemingly harmless pirate software may harbor information stealer malware that do more than just mine sensitive data …

An information stealer malware, Raccoon Stealer, has been repurposed by cybercriminals to not only steal passwords, cookies and credit card data, but also for cryptomining and cryptocurrency crimes.

This was revealed by recent Sophos research on information stealers being secretly packaged along wih pirated software.

Information stealers fill an important niche in the cybercrime ecosystem. They offer a quick return on investment and represent an easy and cheap entry point for bigger attacks, said Sean Gallagher, a senior threat researcher at the cybersecurity firm.

“Cybercriminals often sell stolen identity credentials on ‘dark’ marketplaces, allowing other attackers, including ransomware operators or Initial Access Brokers, to take advantage of them for their own criminal intentions such as breaking into a corporate network through a workplace chat service. Or attackers can use credentials for further attacks targeting other users on the same platform. There is a constant demand for stolen user credentials, especially credentials providing access to legitimate services that attackers can use to easily host or spread more malware. Information stealers may look like lower-level threats, but they are not,” Gallagher added.

A nastier Raccoon

Raccoon Stealer is usually spread by spam email. However, in the campaign Sophos investigated, it was distributed through droppers that the operators disguised as cracked software installers.

These droppers bundled Raccoon Stealer with additional attack tools, including malicious browser extensions, YouTube click-fraud bots, and Djvu/Stop, a ransomware targeted primarily at home users.

The operators behind this Raccoon Stealer campaign also used the Telegram chat service for the first time, to establish command-and-control communications, according to Sophos researchers. “With much of daily and professional life now reliant on services delivered through a web browser, the operators behind information-stealing malware are increasingly targeting stored web credentials that provide access to a lot more than they could get by just stealing stored password hashes,” Gallagher observed.

“The campaign we’ve been tracking shows Raccoon Stealer grabbing passwords, cookies, and the ‘autofill’ text for websites, including credit card data and other personally identifying information that may be stored by a browser. Thanks to a recent ‘clipper’ update that changes the clipboard or destination information for a cryptocurrency transaction, Raccoon Stealer also now targets crypto-wallets, and it can retrieve or load files (such as additional malware) on infected systems. That’s a lot of stuff that cybercriminals can easily monetize for a service that is ‘rented out’ at US$75 for a week’s use.”

Standard cyber-precautions apply

Organizations that use online services for workplace chat and collaboration need to use multi-factor authentication (MFA) to protect employees’ accounts and ensure that all employees have up-to-date malware protection on any computer they access remote work-related services from.

Sophos advises consumers to install a security solution on the devices that they and their families use for online communications and gaming to protect everyone from malware and cyber threats.

Also, avoid downloading and installing unlicensed software from any source. Always check first to make sure it is legitimate.