It has been observed that since at least May 2023, a threat actor suspected to originate from Vietnam has targeted victims in multiple Asian and Southeast Asian countries using malware designed to obtain valuable data.
Cisco Talos is tracking the cluster under this name coral attacker, describing it as financially motivated. The campaign targets India, China, South Korea, Bangladesh, Pakistan, Indonesia and Vietnam.
“The group focuses on stealing victims’ credentials, financial data, and social media accounts, including business and advertising accounts,” said security researchers Chetan Raghuprasad and Joey Chen. “They use RotBot, a custom variant of the Quasar RAT, and XClient to steal program as payload.”
Other commodity malware used by the group includes a combination of remote access trojans and information-stealing programs such as AsyncRAT, NetSupport RAT, and Rhadamanthys.
Targeting commercial and advertising accounts is particularly important for attackers operating out of Vietnam, deploying various stealth malware families such as Ducktail, NodeStealer and VietCredCare to take control of accounts for further profit.
The modus operandi requires using Telegram to exfiltrate stolen information from victim machines and then trade it on underground markets to generate illicit revenue.
“The CoralRaider operator is based in Vietnam and is based on participant messages in Telegram C2 bot channels as well as naming the bot’s language preferences, PDB strings, and other Vietnamese words hardcoded in the payload binary,” researchers said.
The attack chain begins with Windows shortcut files (LNK), although it has not yet been clearly explained how these files are distributed to targets.
If the LNK file is opened, an HTML application (HTA) file is downloaded and executed from an attacker-controlled download server, which executes an embedded Visual Basic script.
The script itself decrypts and sequentially executes three other PowerShell scripts, which are responsible for performing anti-VM and anti-analysis checks, circumventing Windows User Access Control (UAC), disabling Windows and application notifications, and downloading and executing RotBot.
RotBot is configured to contact Telegram bots, capture XClient, steal malware and execute it in memory, ultimately facilitating exfiltration from Brave, Cốc Cốc, Google Chrome, Microsoft Edge, Mozilla Firefox, and Opera; Discord and Telegram data; and screenshots.
XClient can also steal data from victims’ Facebook, Instagram, TikTok and YouTube accounts, gathering details about payment methods and permissions for their Facebook business and ad accounts.
“RotBot is a variant of the Quasar RAT client that the threat actors customized and compiled for this campaign,” the researchers said.[XClient] It has extensive information stealing capabilities through its plug-in modules and various modules used to perform remote management tasks. “
The development comes as Bitdefender revealed details of a malvertising campaign on Facebook that capitalized on the craze around generative artificial intelligence tools, launching various information-stealing programs like Rilide, Vidar, IceRAT, and a new program called Nova Stealer. of new entrants.
The starting point of the attack is that the threat actor took over an existing Facebook account and modified its appearance to mimic well-known artificial intelligence tools from Google, OpenAI, and Midjourney, and expanded its reach by running sponsored ads on the platform.
One of these was an imposter page impersonating Midjourney, which had 1.2 million followers before it was deleted on March 8, 2023. The threat actors who manage this page are mainly from Vietnam, the United States, Indonesia, the United Kingdom and Australia.
The Romanian cybersecurity company said: “The malvertising campaign was far-reaching through Meta’s search ad systems and actively targeted European users from Germany, Poland, Italy, France, Belgium, Spain, the Netherlands, Romania, Sweden and elsewhere. user.”
