December 28, 2022 By Jonathan Reed 3 min read

On October 5, 2022, a newly unsealed federal grand jury indictment charged Ukrainian national Mark Sokolovsky, 26, for his alleged role in a global cyber operation known as Raccoon Infostealer. For years this malware has infected millions of computers, compromising at least 50 million credentials across the globe.

Racoon Infostealer operator awaits extradition

As of late October, Sokolovsky was being held in the Netherlands awaiting an extradition request by the United States. As per the DOJ, Sokolovsky is accused of operating, along with others, the Raccoon Infostealer Malware-as-a-Service. Actors signed up to use Raccoon Infostealer for approximately $200 per month, paid for by cryptocurrency.

The malicious service used methods such as email phishing to install malware that steals personal data. The FBI stated that the malware exfiltrated log-in credentials, financial information and other personal records. Malicious actors could then use the stolen data to commit financial fraud, or sell it on cyber forums.

Massive Malware-as-a-Service scam

Raccoon Infostealer has been one of the most prolific information stealers to date. The stealer’s popularity is due to its wide range of capabilities, customizability and ease of use. Active since April 2019, the cyber gang behind Raccoon halted service in March. Court documents show that Sokolovsky’s arrest and the takedown of the malware’s infrastructure led to the temporary shutdown.

Now, a second version of Raccoon Stealer written in C/C++ has surfaced on underground forums as of June 2022. The threat group posted a message on Telegram saying, “It is so fast and simple that … it will not be difficult for a child to learn how to process logs”.

According to the FBI, the malware facilitated the theft of approximately 50 million unique credentials and forms of identification. The data includes email addresses, bank accounts, cryptocurrency addresses and credit card numbers.

The FBI has even put up a web page where users can check if their email has been compromised by Raccoon Infostealer.

Thwarting Malware-as-a-Service

Services like Raccoon Infostealer spread the use of malignant attack tools. This amplifies the threat as even those without technical skills can launch attacks.

Although malware continues to plague organizations worldwide, protection is possible. Some effective malware mitigation methods include:

  • Training: Users are the first line of defense in an organization’s malware protection strategy. Formal training enables users to further minimize the risk of malware and other cybersecurity threats.
  • SOAR (security orchestration, automation and response): SOAR integrates and coordinates disparate security tools, enabling semi- or fully-automated “playbooks” for responding to potential or actual threats.
  • EDR (endpoint detection and response): EDR collects data continuously from all network endpoints, such as computers, servers, mobile devices and IoT devices. EDR correlates and analyzes the data to detect known threats or suspicious behaviors.
  • XDR (extended detection and response): XDR integrates security tools across an organization’s entire hybrid IT infrastructure — including endpoints, networks, email, applications, cloud workloads and more. XDR interoperates and coordinates cyber threat prevention, detection and response.

Although one of its leaders was indicted, Raccoon Infostealer continues to operate. While law enforcement efforts continue, companies must continue to defend themselves.

If you have questions and want a deeper discussion about the malware and prevention techniques, you can schedule a briefing here. Get the latest updates as more information develops on the IBM Security X-Force Exchange and the IBM PSIRT blog.

If you are experiencing cybersecurity issues or an incident, contact X-Force to help: US hotline 1-888-241-9812 | Global hotline (+001) 312-212-8034.

More cybersecurity threat resources are available here.

More from News

Securing critical infrastructure with the carrot and stick

4 min read - It wasn’t long ago that cybersecurity was a fringe topic of interest. Now, headline-making breaches impact large numbers of everyday citizens. Entire cities find themselves under cyberattack. In a short time, cyber has taken an important place in the national discourse. Today, governments, regulatory agencies and companies must work together to confront this growing threat. So how is the federal government bolstering security for critical infrastructure? It looks like they are using a carrot-and-stick approach. Back in March 2022, the…

650,000 cyber jobs are now vacant: How to tackle the risk

4 min read - How far is the United States behind in filing cybersecurity jobs? As per Rep. Andrew Garbarino, R-N.Y., Chairman of the HHS Cybersecurity and Infrastructure Protection Subcommittee, overseas adversaries have a workforce advantage over FBI cyber personnel of 50 to one. His statements were made during a recent subcommittee hearing titled “Growing the National Cybersecurity Talent Pipeline.” Meanwhile, recent CyberSeek data shows over 650,000 cyber jobs to fill nationwide. Given the rising rate of cyberattacks, these numbers are truly alarming. How…

Will data backups save you from ransomware? Think again

4 min read - Backups are an essential part of any solid anti-ransomware strategy. In fact, research shows that the median recovery cost for ransomware victims that used backups is half the cost incurred by those that paid the ransom. But not all data backup approaches are created equal. A separate report found that in 93% of ransomware incidents, threat actors actively target backup repositories. This results in 75% of victims losing at least some of their backups during the attack, and more than…

Should you worry about state-sponsored attacks? Maybe not.

4 min read - More than ever, state-sponsored cyber threats worry security professionals. In fact, nation-state activity alerts increased against critical infrastructure from 20% to 40% from 2021 to 2022, according to a recent Microsoft Digital Defense Report. With the advent of the hybrid war in Ukraine, nation-state actors are launching increasingly sophisticated attacks. But is this the most prominent danger facing companies today? While nation-state-based attacks cannot be ignored, it looks like insider cyber incidents are far more common. In fact, for the…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today