Protection Guide: Raccoon Stealer

Attack Vectors to Block

Raccoon Stealer primarily infiltrates systems through social engineering and software bundling. Blocking these vectors requires a layered defense.

Phishing Emails and Malicious Attachments: Raccoon is frequently distributed via phishing campaigns containing malicious attachments (e.g., .ISO, .ZIP, .SCR, .LNK files) or links to compromised sites. At the email gateway, implement strict policies to block executable attachments and archive files that can bypass traditional filters. Use a secure email gateway to rewrite URLs and perform time-of-click analysis. On the endpoint, configure application control to prevent execution from temporary internet directories and user download folders.

Malvertising and Compromised Websites: Raccoon payloads are often hosted on compromised legitimate sites or distributed through malicious advertisements. Deploy a web filtering proxy or secure web gateway to block access to known malicious domains and newly registered domains (NRDs) with low reputation. Use browser isolation technologies for high-risk users. Endpoint web browser extensions should be configured to block scripts and redirects from untrusted sites.

Software Cracking/Piracy Sites and Fake Installers: A common infection path is through trojanized software on piracy and cracking websites. Network-level defenses should block categories related to software piracy, illegal streaming, and crack/keygen sites. Implement application allowlisting on endpoints to prevent unauthorized software installers from running. Use an EDR solution to detect and block processes that exhibit behaviors like downloading and executing payloads from temporary locations (e.g., %TEMP%, %APPDATA%).

Email Security Configuration

Configure your email security infrastructure to intercept Raccoon Stealer lures before they reach the inbox.

Attachment Filtering Policies: Create rules to block or sandbox high-risk file types commonly used by Raccoon. This includes:

• Executables (.exe, .scr, .msi, .bat, .cmd, .ps1)
• Archive files that may contain executables (.zip, .rar, .7z, .iso). Configure the gateway to extract and scan the contents of archives.
• Microsoft Office documents with macros. Block these outright or enable strict macro security with mandatory trust barring.

URL Defense and Link Analysis: Enable URL rewriting and time-of-click protection for all links within emails. Quarantine emails containing links to domains with a low reputation score, domains registered very recently (e.g., within the last 30 days), or domains that mimic legitimate software download sites (e.g., adobe-update[.]com). Integrate your email gateway with your threat intelligence platform to block IOCs associated with active Raccoon campaigns.

Sender and Content Policies: Implement DMARC, DKIM, and SPF to reduce spoofing. Set up rules to flag or block emails with subject lines and body text common in infostealer campaigns, such as “Invoice,” “Payment Required,” “Your Document,” or “Order Confirmation,” especially when combined with urgent language and password-protected attachments.

Endpoint Protection Tuning

Harden endpoints to detect, block, and contain Raccoon Stealer execution and data theft.

Behavioral Detection Rules (EDR/NGAV): Configure your endpoint solution to generate alerts or block processes that exhibit Raccoon’s specific post-exploitation behavior:

• Processes making anomalous reads from browser data paths (e.g., %LocalAppData%\Google\Chrome\User Data\Default\Login Data, %AppData%\Mozilla\Firefox\Profiles\).
• Processes accessing credential storage like the Windows Credential Manager (CREDHIST/CREDENTIALS files) or dumping LSASS memory.
• Processes establishing network connections immediately after being spawned from a temporary directory (%TEMP%, %APPDATA%\Local\Temp).
• Processes creating or modifying files in %APPDATA% or %LOCALAPPDATA% with names mimicking legitimate software or using random characters.

Application Control / Allowlisting: Deploy a robust application control policy. Deny execution by default from high-risk locations such as user download folders, temporary directories, and removable drives. Allow only signed, authorized applications to run from Program Files and Windows directories. This will stop Raccoon’s dropper from executing its payload.

Script Execution Restrictions: Use Group Policy or endpoint management tools to restrict scripting engines. Disable Windows Script Host (wscript.exe, cscript.exe) for non-administrative users where not required. Constrain PowerShell execution policy to “RemoteSigned” or “Restricted” and enable logging of all PowerShell script block activity. Block Office applications from creating child processes (a common macro payload behavior) via Attack Surface Reduction (ASR) rules.

Network-Level Defenses

Disrupt Raccoon Stealer’s command-and-control (C2) communication and ability to download secondary payloads.

DNS Filtering and Sinkholing: Configure internal DNS resolvers or use a DNS security service to block queries to domains associated with Raccoon Stealer C2 servers. Block categories including “Malware,” “Phishing,” “Newly Seen Domains,” and “Parked Domains.” Implement DNS logging and alert on endpoints making repeated DNS queries to domains with high entropy names (e.g., kjhdsf87asd[.]com), a common trait of malware-generated domains.

Web Proxy / Gateway Filtering: Enforce explicit proxy use for all HTTP/HTTPS traffic. Create block rules for:

• IP addresses and domains from the latest Raccoon Stealer IOC lists.
• URLs with file paths ending in common Raccoon payload names (e.g., setup.exe, installer.msi, document.scr).
• Traffic to bulletproof hosting providers and free web hosting services frequently abused by malware actors.

Firewall and Network Segmentation: At the perimeter firewall, implement egress filtering to block outbound connections on non-standard ports. Since Raccoon often uses HTTPS on port 443 for C2, focus on application-layer inspection. Use an intrusion prevention system (IPS) with signatures tuned for malware beaconing and data exfiltration patterns. Segment the network to restrict workstations from initiating connections to anything other than essential internal services and the internet proxy.

User Awareness Training Points

Educate users to recognize and avoid the social engineering tactics used to deploy Raccoon Stealer.

Identifying Phishing Lures: Train users to scrutinize emails urging immediate action, especially those with generic greetings, grammatical errors, and threats of account suspension. Emphasize that legitimate organizations will not send executable files or password-protected archives as invoices or documents. Instruct them to never enable macros in documents received via email.

Safe Software Download Practices: Stress that downloading software, especially “cracks,” “keygens,” or “free” versions of paid software, from piracy sites is a primary infection method for stealers like Raccoon. Mandate that all software must be downloaded from official vendor websites or approved internal repositories.

Handling Suspicious Files and Links: Teach users to hover over links to preview the actual URL before clicking. Instruct them to report any file that downloads unexpectedly or any installer that prompts for excessive permissions. Create a clear, simple process for reporting suspicious emails to the security team.

Password and Credential Hygiene: While not a direct prevention, inform users about the risk of infostealers. This reinforces the importance of unique passwords for different accounts and enabling multi-factor authentication (MFA) everywhere possible, as this can significantly mitigate the impact of stolen credentials.

For detailed information on how this malware spreads, refer to the Distribution Methods page. For specific technical indicators, consult the Current IOCs. A general overview is available on the Raccoon Stealer Overview page.