An emerging cybercrime group with ties to Vietnam targeted individuals and organizations in Asia in an attempt to steal social media account information and user data.
CoralRaider, which first emerged in late 2023, relies heavily on social engineering and legitimate services for data exfiltration, and has developed custom tools to load malware onto victims' systems. But the group also makes elementary mistakes, such as accidentally infecting their own systems and exposing their activities, a threat researcher in the Cisco Talos Threat Intelligence Group says in his new analysis of CoralRaider. I am.
Although cyber operations are becoming more active in Vietnam, the group does not appear to be cooperating with the government, said Chetan Raghuprasad, security research and technology leader in Cisco's Talos group.
“The main priority is financial gain, and the attackers are trying to take over the victim's social media business and advertising.”[ing] “It could also expose you to subsequent attacks, such as the delivery of other malware.” Our research does not reveal any instances of other payloads being delivered. ”
Vietnamese threat actors frequently turn to social media.of the infamous ocean lotus group The virus, also known as APT32, has attacked other governments, opposition parties, and journalists in Southeast Asian countries, including Vietnam. Force 47, a military-affiliated group — associated with the Vietnamese military's official television station — Regularly tries to influence social media groups.
However, CoralRaider appears to be associated with profit motives rather than nationalistic objectives.
“At this time, there is no evidence or information regarding any indication that Coral Raider is collaborating with the Vietnamese government,” Raghuprasad said.
Multi-step infection chain
CoralRaider campaigns typically start with a Windows Shortcut (.LNK) file, often with a .PDF extension to trick victims into opening the file. According to Cisco analysis. The attacker then proceeds through a series of stages of the attack.
-
The Windows shortcut downloads and runs an HTML application (HTA) file from an attacker-controlled server.
-
HTA files run embedded Visual Basic scripts
-
The VB script runs a PowerShell script, which in turn runs three PowerShell scripts. This includes a set of anti-analysis checks to detect whether the tool is running on a virtual machine, bypassing the system's user access controls, and code to disable notifications.To the user
-
The final script runs RotBot, an evasion loader, performs system reconnaissance, and downloads configuration files.
-
RotBot typically downloads XClient, which collects various user data from the system, including social media account credentials.
In addition to credentials, XClient also steals browser data, credit card account information, and other financial data. Finally, XClient takes a screenshot of the victim's desktop and uploads it.
Meanwhile, researchers say there are indications that the attackers also targeted individuals in Vietnam.
” [XClient] “The stealer functionality maps the stolen victim information to hard-coded Vietnamese characters and writes it to a text file on a temporary folder on the victim’s machine before exfiltration,” the analysis states. Contains Vietnamese words for account rights, thresholds, usage, time zone, and creation date. ”
The CoralRaider group used automated bots on the Telegram service as a command and control channel and also to exfiltrate data from victims' systems. However, it appears that the cybercrime group infected one of his machines, as Cisco researchers discovered screenshots of the information posted on the channel.
“After analyzing the images of the actor's desktop on the Telegram bot, we found several Vietnamese Telegram groups named 'Kiém Tien tử Facebook', 'Mua Bán Scan MINI' and 'Mua Bán Scan Meta'.” says Cisco Talos in an analysis. . “When we monitored these groups, we discovered that they were underground marketplaces where, among other things, victims' data was traded.”
It's no surprise that CoralRaider has appeared on the cyber threat scene. Vietnam is currently facing an increased threat from account-stealing malware, said Sakshi Grover, his manager of research in IDC's Asia/Pacific Cybersecurity Services Group.
“While historically less associated with cybercrime than other Asian countries, Vietnam is rapidly adopting digital technologies, making it more vulnerable to cyberthreats,” she says. . “Advanced Persistent Threats (APTs) can target government agencies, critical infrastructure, and businesses by using sophisticated techniques such as custom malware and social engineering to infiltrate systems and steal sensitive data. increasing.”
Economic conditions vary across Vietnam, with limited employment opportunities in some regions and resulting low wages for highly skilled occupations, leading individuals to engage in cybercrime to make money. There could be a motive, Grover said.