Raccoon Stealer Incident Response Guide

Incident Triage Steps

Within the first 30 minutes of a suspected Raccoon Stealer infection, your priority is to confirm the incident, assess its scope, and determine if data exfiltration occurred. Raccoon Stealer is an infostealer that typically harvests data from browsers, email clients, cryptocurrency wallets, and FTP clients before exfiltrating it to a command-and-control (C2) server.

1. Confirm the Infection: Immediately query your EDR solution and SIEM platform for known Raccoon Stealer indicators. Key behavioral alerts to look for include:

   • Processes accessing browser SQLite database files (like Login Data, Cookies, Web Data) in user profile directories (%LocalAppData%\\Google\\Chrome\\User Data\\Default\\, %AppData%\\Mozilla\\Firefox\\Profiles\\).
   • Processes reading files from cryptocurrency wallet directories (e.g., %AppData%\\Electrum\\wallets, %AppData%\\Zcash).
   • Suspicious network connections to domains or IPs associated with Raccoon Stealer C2 infrastructure, often using HTTP/S POST requests with encrypted payloads.

2. Identify Patient Zero and Scope: Use your EDR’s process lineage feature to identify the initial compromised endpoint and execution chain. Raccoon Stealer is often delivered via malicious email attachments (like ISO, LNK, or PDF files), exploit kits, or bundled with pirated software. Trace all systems that executed the same initial file or communicated with the same initial C2 server.

3. Determine Data Exfiltration: Check your proxy, firewall, and DNS logs for connections to the identified C2 servers around the time of execution. Look for outbound POST requests containing large, encrypted blobs of data. Review any data loss prevention (DLP) alerts for the unauthorized transfer of credential files or wallet.dat files. If exfiltration is confirmed, assume all stored credentials, cookies, and wallet data on the infected host are compromised.

Evidence Collection

Before initiating containment or eradication, collect and preserve forensic evidence from affected systems. This is critical for understanding the attack and for potential legal proceedings.

1. Volatile Memory: Take a full memory dump of the infected system(s) using a trusted memory forensic tool. Raccoon Stealer payloads often reside entirely in memory (fileless execution) or decrypt their configuration in memory.

2. Disk and Process Artifacts: Collect the following Raccoon Stealer-specific artifacts:

   • Malicious Executables: The initial dropper and the main raccoon.exe or similarly named binary, often found in %Temp%, %AppData%, or %LocalAppData%.
   • Persistence Mechanisms: Check for scheduled tasks (e.g., schtasks /query /fo LIST /v), Run registry keys (HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run), and startup folders.
   • Log and Data Files: Look for temporary log files created by the stealer, often in %Temp% with random names, containing lists of harvested data before exfiltration.
   • System Logs: Export relevant Windows Event Logs (Security, System, PowerShell, Windows Defender) from the infection timeframe.
   • Process List & Network Connections: Capture a full list of running processes and active network connections (using netstat -anob).

3. Network Evidence: Preserve full packet captures (PCAPs) from network sensors on the affected segment, focusing on traffic to and from the suspected host. Export relevant logs from perimeter firewalls, web proxies, and DNS servers showing C2 communication.

Containment Procedures

Contain the threat to prevent further data theft and lateral movement while preserving evidence.

1. Network Segmentation: Immediately isolate the confirmed infected hosts from the network. Use network access control or switch port shutdowns. If complete isolation is not feasible, implement strict host-based firewall rules on the endpoint to block all outbound traffic except to essential management systems.

2. Credential Reset Scope: Assume all credentials present on the infected system are compromised. This includes:

   • Browser-stored passwords for any websites (corporate SSO, email, cloud services).
   • Session cookies, which could allow session hijacking without a password.
   • Credentials for email clients (Outlook, Thunderbird).
   • FTP and SSH client credentials.
   • Windows domain credentials if the user entered them during the infection period. Coordinate with identity teams to reset these credentials and revoke all active sessions (OAuth tokens, Kerberos tickets).

3. C2 Blocking: Update your perimeter and internal firewall, proxy, and DNS security policies to block all communication to the identified Raccoon Stealer C2 server IPs and domains. As Raccoon Stealer operators frequently change infrastructure, also consider blocking traffic to newly registered domains or non-business-critical IP ranges from the affected subnet as a temporary measure.

Eradication and Recovery

Remove the malware and restore systems to a trusted state.

1. Complete Removal: Follow the detailed, step-by-step instructions in the Raccoon Stealer Removal Guide. This process must be executed on every affected endpoint and typically involves:

   • Terminating malicious processes.
   • Removing all associated files from disk.
   • Cleaning all persistence registry keys and scheduled tasks.
   • Using anti-malware scanners for a secondary sweep.

2. Restoration from Backups: For critical systems where forensic confidence is low, or if the system was heavily modified by the attacker, consider rebuilding from known-clean, pre-infection backups. Do not restore from backups taken after the initial infection time, as they may contain the malware.

3. Verification of Clean State: Before returning a system to production:

   • Re-scan the system with updated anti-malware and EDR tools.
   • Validate that all persistence mechanisms identified during evidence collection are removed.
   • Monitor for any anomalous network connections or process behavior for a period of 24-48 hours in a controlled environment, if possible.

Lessons Learned Checklist

After containment and eradication, conduct a post-incident review to improve defenses.

• Initial Infection Vector: How did Raccoon Stealer gain initial access?

  • Was it a malicious email attachment? If so, what email security controls failed?
  • Was it a drive-by download or exploit kit? Are browser and plugin patching policies adequate?
  • Was it bundled with unauthorized software? Are software restriction policies or application allow-listing controls in place and effective?

• Control Failures: What security controls did not prevent or detect the incident?

  • Did endpoint protection fail to detect the payload on write or execution?
  • Were network-based controls (IDS/IPS, web filter) unable to identify or block C2 traffic?
  • Did user awareness training fail to prevent the initial execution?

• Detection Gaps: How was the incident finally discovered, and how long did it take?

  • Were there missed alerts in the SIEM for the behavioral indicators (access to browser data files, calls to crypt32.dll for encryption)?
  • Can new detection rules be created for Raccoon Stealer’s specific TTPs (Tactics, Techniques, and Procedures)?
  • Is there a gap in monitoring for outbound exfiltration of credential-type data?

• Improvement Actions: What specific actions will be taken?

  • Implement or tighten application allow-listing to prevent execution from %Temp% and %AppData%.
  • Enhance email filtering for dangerous file types (ISO, LNK).
  • Deploy credential guard or similar technology to protect browser-stored secrets.
  • Update incident response playbooks with the specific IOCs and procedures from this guide.

For more information on this threat, see the Raccoon Stealer Overview. To improve proactive identification, review the Raccoon Stealer Detection Guide.