Full Report
Ukrainian national Mark Sokolovsky was sentenced Wednesday to five years in federal prison for his role in operating Raccoon Infostealer malware, which infiltrated millions of computers worldwide to steal personal data. According to court documents, Sokolovsky, 28, was integral to operations that allowed the leasing of Raccoon Infostealer for $200 per month, payable via cryptocurrency. […] The post Ukrainian sentenced to five years in jail for work on Raccoon Stealer appeared first on CyberScoop.
Analysis Summary
# Tool/Technique: Raccoon Stealer (Raccoon Infostealer)
## Overview
Raccoon Stealer is a potent information-stealing malware designed to infiltrate computers and exfiltrate sensitive user data, including login credentials, financial information, and personal records. It was aggressively marketed and leased to cybercriminals globally for illicit activities such as fraud, identity theft, and ransomware operations.
## Technical Details
- Type: Malware family (Infostealer)
- Platform: Windows (Inferred, typical for this class of malware)
- Capabilities: Steals login credentials, financial information, and other personal records; leased on a subscription basis (previously $200/month).
- First Seen: Operations ceased and were disrupted around March 2022, with reports of resurgence by June 2022. The information relates to activity occurring prior to March 2022 when a key operator was arrested.
## MITRE ATT&CK Mapping
*Note: Specific TTPs for stealer malware generally fall under Collection and Credential Access.*
- **TA0001 - Initial Access**
- **T1566 - Phishing** (Users predominantly deployed this malware through phishing schemes)
- **TA0006 - Credential Access**
- **T1555 - Credentials from Password Stores** (Stolen log-in credentials)
- **TA0009 - Collection**
- **T1119 - Data from Local System** (Extract data from unsuspecting victims)
## Functionality
### Core Capabilities
- **Data Theft:** Extraction of stored login credentials, financial information, and personal records from compromised systems.
- **Monetization:** Successfully leased to threat actors for approximately $200 per month, payable in cryptocurrency.
- **Distribution:** Primarily deployed via phishing schemes targeting unsuspecting victims.
### Advanced Features
- **International Reach:** Infiltrated millions of computers worldwide, facilitating widespread fraud and identity theft.
- **Pivotal Role:** The malware was described as enabling "amateurs to commit significant cybercrimes."
## Indicators of Compromise
- File Hashes: [Not provided in the text]
- File Names: [Not provided in the text]
- Registry Keys: [Not provided in the text]
- Network Indicators: [Not provided in the text - Network activity would be related to C2 communication for exfiltration]
- Behavioral Indicators: Successful execution leads to the collection of credentials, followed by potential exfiltration; associated with fraud, identity theft, and ransomware attacks.
## Associated Threat Actors
- Mark Sokolovsky (Alias: “Photix,” “raccoonstealer,” “black21jack77777”) - Integral operator of the leasing infrastructure.
## Detection Methods
- [Signature-based detection]: (Not specified, but signature creation for known samples would be standard)
- [Behavioral detection]: Detection of processes attempting to access credential stores or crypto wallets.
- [YARA rules if available]: (Not provided in the text)
## Mitigation Strategies
- **Phishing Defense:** Enhanced user training to recognize and report sophisticated phishing schemes.
- **Multi-Factor Authentication (MFA):** Implementation of MFA to limit the utility of stolen login credentials.
- **Credential Hygiene:** Encouraging users not to store sensitive data in easily accessible local files or browsers.
- **Law Enforcement Action:** International cooperation that led to the disruption of the operation and the arrest of key personnel.
## Related Tools/Techniques
- General Infostealers (e.g., Vidar, Formbook, RedLine Stealer)
- Ransomware operations (as Raccoon Stealer's stolen data was used to facilitate these attacks)