Presentation Material
Abstract
In recent findings, Cisco Talos has uncovered a new threat actor, dubbed “CoralRaider,” believed to originate from Vietnam and driven by financial motivations. Operating since at least 2023, CoralRaider has targeted victims primarily across Asian and Southeast Asian countries, focusing on the theft of credentials, financial data, and social media accounts, including business and advertisement profiles.The group employs sophisticated tactics, leveraging customized variants of known malware such as RotBot (a modified version of QuasarRAT) and the XClient stealer as primary payloads in their campaigns. Notably, CoralRaider utilizes the dead drop technique, utilizing legitimate services to host C2 configuration files and uncommon living-off-the-land binaries (LoLBins) like Windows Forfiles.exe and FoDHelper.exe.
In a recent discovery made by Talos in February 2024, CoralRaider has initiated a new campaign distributing renowned infostealer malware, including Cryptbot, LummaC2, and Rhadamanthys. Employing innovative tactics, the threat actor embeds PowerShell command-line arguments within LNK files to evade antivirus detection and facilitate payload downloads onto victim hosts.Furthermore, the campaign utilizes Content Delivery Network (CDN) cache domains as download servers for hosting malicious HTA files and payloads, adding another layer of complexity to their operations. Talos assesses with moderate confidence that CoralRaider is behind this campaign, noting overlaps in tactics, techniques, and procedures (TTPs) observed in previous Rotbot campaigns. These include the utilization of Windows Shortcut files as initial attack vectors, intermediate PowerShell decryptors, and FoDHelper techniques to bypass User Access Controls (UAC) on victim machines.
This research sheds light on the evolving tactics of CoralRaider and underscores the importance of continuous threat intelligence to combat emerging cyber threats effectively. Understanding the modus operandi of such threat actors is crucial for bolstering defenses and mitigating risks in today’s cybersecurity landscape.
AI Generated Summary
The research details the activities of the Vietnam-origin cybercrime group tracked as Color Riders (UTG Q007), active since 2023 with a financial motivation. The group specializes in multi-stage attacks to steal credentials and financial data, and hijack social media accounts across Asia, Europe, and the US.
Two distinct campaigns were analyzed. Campaign One (late 2023 to early 2024) used malicious movie files with localized names as initial vectors. Its attack chain employed a custom PowerShell script for anti-analysis, a novel UAC bypass technique abusing the CurVer registry key with a spoofed fodhelper.exe, and a final payload consisting of custom malware. This included a loader named Robot, which deployed the XClient stealer. XClient used Google Docs as a dead-drop resolver to obtain command-and-control (C2) details and exfiltrated data, including social media credentials, via a Telegram bot API.
Campaign Two (early 2024) used more generic LNK file names and showed increased sophistication. The attack chain was similar but featured heavily obfuscated HTA files and the use of a Content Delivery Network (CDN) for payload hosting. This campaign primarily utilized off-the-shelf information stealers: a new variant of CryptoBot (packed with VMProtector, targeting password managers and 2FA databases), a modified Luma C2 (with encrypted C2 domains), and Remy malware (version 5). Remy was delivered via a Python-based loader, referred to as BSR (Binary Sub Replacer), which performed process injection. The BSR cryptor family showed links to open-source projects, though some components appear custom.
Attribution to Vietnam is supported by multiple artifacts: Vietnamese language in PDB strings and Telegram group names, a debug bot server IP located in Hanoi, and a spreadsheet containing victim data with Vietnamese labels and Office 365 login activity. The overlap in infection chains, decryption logic, and consistent targeting across both campaigns indicates a single, evolving actor.
The group’s use of living-off-the-land techniques, commercial stealers, and fast exfiltration via Telegram highlights the challenge of detecting credential theft. Mitigations should focus on monitoring for the specific UAC bypass and suspicious Google Docs/Telegram traffic. Future threats may feature even faster credential theft and broader application targeting.