In recent findings, Cisco Talos has uncovered a new threat actor, dubbed “CoralRaider,” believed to originate from Vietnam and driven by financial motivations. Operating since at least 2023, CoralRaider has targeted victims primarily across Asian and Southeast Asian countries, focusing on the theft of credentials, financial data, and social media accounts, including business and advertisement profiles.The group employs sophisticated tactics, leveraging customized variants of known malware such as RotBot (a modified version of QuasarRAT) and the XClient stealer as primary payloads in their campaigns. Notably, CoralRaider utilizes the dead drop technique, utilizing legitimate services to host C2 configuration files and uncommon living-off-the-land binaries (LoLBins) like Windows Forfiles.exe and FoDHelper.exe.

In a recent discovery made by Talos in February 2024, CoralRaider has initiated a new campaign distributing renowned infostealer malware, including Cryptbot, LummaC2, and Rhadamanthys. Employing innovative tactics, the threat actor embeds PowerShell command-line arguments within LNK files to evade antivirus detection and facilitate payload downloads onto victim hosts.Furthermore, the campaign utilizes Content Delivery Network (CDN) cache domains as download servers for hosting malicious HTA files and payloads, adding another layer of complexity to their operations. Talos assesses with moderate confidence that CoralRaider is behind this campaign, noting overlaps in tactics, techniques, and procedures (TTPs) observed in previous Rotbot campaigns. These include the utilization of Windows Shortcut files as initial attack vectors, intermediate PowerShell decryptors, and FoDHelper techniques to bypass User Access Controls (UAC) on victim machines.

This research sheds light on the evolving tactics of CoralRaider and underscores the importance of continuous threat intelligence to combat emerging cyber threats effectively. Understanding the modus operandi of such threat actors is crucial for bolstering defenses and mitigating risks in today’s cybersecurity landscape.