A cyber threat originating from Vietnam, dubbed CoralRaider, has been identified targeting numerous Asian and Southeast Asian countries since May 2023. Cisco Talos researchers have traced this cluster, attributing it to financially motivated activities. CoralRaider’s targets encompass a wide array of nations including India, China, South Korea, Bangladesh, Pakistan, Indonesia, and its home country Vietnam.
Security experts Chetan Raghuprasad and Joey Chen shed light on CoralRaider’s modus operandi, emphasizing their focus on pilfering credentials, financial data, and social media accounts. Employing a variety of malware payloads such as RotBot, a customized variant of Quasar RAT, and XClient stealer, the group demonstrates a sophisticated approach to data theft. Additionally, they utilize other commodity malware like AsyncRAT, NetSupport RAT, and Rhadamanthys to bolster their malicious activities.
Of particular concern is CoralRaider’s targeting of business and advertisement accounts, a trend especially prevalent in Vietnam. This emphasis is exemplified through the deployment of various stealer malware families like Ducktail, NodeStealer, and VietCredCare, indicating a concerted effort towards financial gain through illicit means. The stolen information is subsequently traded in underground markets to generate revenue, highlighting the broader implications of this cyber threat.
As security researchers delve deeper into CoralRaider’s operations, they uncover the group’s elaborate attack chains starting with Windows shortcut files (LNK). The attackers employ sophisticated techniques involving HTML applications (HTA), Visual Basic scripts, and PowerShell scripts to execute malware like RotBot and XClient. This multifaceted approach underscores the evolving nature of cyber threats and the necessity for robust cybersecurity measures to safeguard against such malicious activities.
