{"id":14908,"date":"2024-08-06T08:23:58","date_gmt":"2024-08-06T08:23:58","guid":{"rendered":"https:\/\/conference.hitb.org\/hitbsecconf2024bkk\/?post_type=session&#038;p=14908"},"modified":"2024-09-03T02:24:18","modified_gmt":"2024-09-03T02:24:18","slug":"commsec-coralraider-targets-victims-data-and-social-media-accounts","status":"publish","type":"session","link":"https:\/\/conference.hitb.org\/hitbsecconf2024bkk\/session\/commsec-coralraider-targets-victims-data-and-social-media-accounts\/","title":{"rendered":"COMMSEC: CoralRaider Targets Victims Data and Social Media Accounts"},"content":{"rendered":"<div class=\"simple_format\">\n<p><strong><a href=\"https:\/\/conference.hitb.org\/hitbsecconf2024bkk\/materials\/D1T1%20-%20%20Silencing%20Spies%20-%20Revealing%20Microphone%20Nonlinear%20Behavior%20and%20Building%20an%20Ultrasonic%20Jammer%20-%20Hetian%20Shi%20&amp;%20Qing%20Wang.pdf\">PRESENTATION SLIDES<\/a><\/strong><\/p>\n<p style=\"text-align: justify;\">In recent findings, Cisco Talos has uncovered a new threat actor, dubbed &#8220;CoralRaider,&#8221; believed to originate from Vietnam and driven by financial motivations. Operating since at least 2023, CoralRaider has targeted victims primarily across Asian and Southeast Asian countries, focusing on the theft of credentials, financial data, and social media accounts, including business and advertisement profiles.The group employs sophisticated tactics, leveraging customized variants of known malware such as RotBot (a modified version of QuasarRAT) and the XClient stealer as primary payloads in their campaigns. Notably, CoralRaider utilizes the dead drop technique, utilizing legitimate services to host C2 configuration files and uncommon living-off-the-land binaries (LoLBins) like Windows Forfiles.exe and FoDHelper.exe.<\/p>\n<p style=\"text-align: justify;\">In a recent discovery made by Talos in February 2024, CoralRaider has initiated a new campaign distributing renowned infostealer malware, including Cryptbot, LummaC2, and Rhadamanthys. Employing innovative tactics, the threat actor embeds PowerShell command-line arguments within LNK files to evade antivirus detection and facilitate payload downloads onto victim hosts.Furthermore, the campaign utilizes Content Delivery Network (CDN) cache domains as download servers for hosting malicious HTA files and payloads, adding another layer of complexity to their operations. Talos assesses with moderate confidence that CoralRaider is behind this campaign, noting overlaps in tactics, techniques, and procedures (TTPs) observed in previous Rotbot campaigns. These include the utilization of Windows Shortcut files as initial attack vectors, intermediate PowerShell decryptors, and FoDHelper techniques to bypass User Access Controls (UAC) on victim machines.<\/p>\n<p style=\"text-align: justify;\">This research sheds light on the evolving tactics of CoralRaider and underscores the importance of continuous threat intelligence to combat emerging cyber threats effectively. Understanding the modus operandi of such threat actors is crucial for bolstering defenses and mitigating risks in today&#8217;s cybersecurity landscape.<\/p>\n<\/div>\n","protected":false},"template":"","class_list":["post-14908","session","type-session","status-publish","hentry"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v23.3 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>COMMSEC: CoralRaider Targets Victims Data and Social Media Accounts - HITBSecConf2024 - Bangkok<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/conference.hitb.org\/hitbsecconf2024bkk\/session\/commsec-coralraider-targets-victims-data-and-social-media-accounts\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"COMMSEC: CoralRaider Targets Victims Data and Social Media Accounts - HITBSecConf2024 - Bangkok\" \/>\n<meta property=\"og:description\" content=\"PRESENTATION SLIDES In recent findings, Cisco Talos has uncovered a new threat actor, dubbed &#8220;CoralRaider,&#8221; believed to originate from Vietnam and driven by financial motivations. Operating since at least 2023, CoralRaider has targeted victims primarily across Asian and Southeast Asian countries, focusing on the theft of credentials, financial data, and social media accounts, including business [&hellip;]\" \/>\n<meta property=\"og:url\" content=\"https:\/\/conference.hitb.org\/hitbsecconf2024bkk\/session\/commsec-coralraider-targets-victims-data-and-social-media-accounts\/\" \/>\n<meta property=\"og:site_name\" content=\"HITBSecConf2024 - Bangkok\" \/>\n<meta property=\"article:modified_time\" content=\"2024-09-03T02:24:18+00:00\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data1\" content=\"2 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"https:\/\/conference.hitb.org\/hitbsecconf2024bkk\/session\/commsec-coralraider-targets-victims-data-and-social-media-accounts\/\",\"url\":\"https:\/\/conference.hitb.org\/hitbsecconf2024bkk\/session\/commsec-coralraider-targets-victims-data-and-social-media-accounts\/\",\"name\":\"COMMSEC: CoralRaider Targets Victims Data and Social Media Accounts - HITBSecConf2024 - Bangkok\",\"isPartOf\":{\"@id\":\"https:\/\/conference.hitb.org\/hitbsecconf2024bkk\/#website\"},\"datePublished\":\"2024-08-06T08:23:58+00:00\",\"dateModified\":\"2024-09-03T02:24:18+00:00\",\"breadcrumb\":{\"@id\":\"https:\/\/conference.hitb.org\/hitbsecconf2024bkk\/session\/commsec-coralraider-targets-victims-data-and-social-media-accounts\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/conference.hitb.org\/hitbsecconf2024bkk\/session\/commsec-coralraider-targets-victims-data-and-social-media-accounts\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/conference.hitb.org\/hitbsecconf2024bkk\/session\/commsec-coralraider-targets-victims-data-and-social-media-accounts\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/conference.hitb.org\/hitbsecconf2024bkk\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Session\",\"item\":\"https:\/\/conference.hitb.org\/hitbsecconf2024bkk\/session\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"COMMSEC: CoralRaider Targets Victims Data and Social Media Accounts\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/conference.hitb.org\/hitbsecconf2024bkk\/#website\",\"url\":\"https:\/\/conference.hitb.org\/hitbsecconf2024bkk\/\",\"name\":\"HITBSecConf2024 - Bangkok\",\"description\":\"August 26 - 30 @ InterContinental\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/conference.hitb.org\/hitbsecconf2024bkk\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"COMMSEC: CoralRaider Targets Victims Data and Social Media Accounts - HITBSecConf2024 - Bangkok","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/conference.hitb.org\/hitbsecconf2024bkk\/session\/commsec-coralraider-targets-victims-data-and-social-media-accounts\/","og_locale":"en_US","og_type":"article","og_title":"COMMSEC: CoralRaider Targets Victims Data and Social Media Accounts - HITBSecConf2024 - Bangkok","og_description":"PRESENTATION SLIDES In recent findings, Cisco Talos has uncovered a new threat actor, dubbed &#8220;CoralRaider,&#8221; believed to originate from Vietnam and driven by financial motivations. Operating since at least 2023, CoralRaider has targeted victims primarily across Asian and Southeast Asian countries, focusing on the theft of credentials, financial data, and social media accounts, including business [&hellip;]","og_url":"https:\/\/conference.hitb.org\/hitbsecconf2024bkk\/session\/commsec-coralraider-targets-victims-data-and-social-media-accounts\/","og_site_name":"HITBSecConf2024 - Bangkok","article_modified_time":"2024-09-03T02:24:18+00:00","twitter_card":"summary_large_image","twitter_misc":{"Est. reading time":"2 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/conference.hitb.org\/hitbsecconf2024bkk\/session\/commsec-coralraider-targets-victims-data-and-social-media-accounts\/","url":"https:\/\/conference.hitb.org\/hitbsecconf2024bkk\/session\/commsec-coralraider-targets-victims-data-and-social-media-accounts\/","name":"COMMSEC: CoralRaider Targets Victims Data and Social Media Accounts - HITBSecConf2024 - Bangkok","isPartOf":{"@id":"https:\/\/conference.hitb.org\/hitbsecconf2024bkk\/#website"},"datePublished":"2024-08-06T08:23:58+00:00","dateModified":"2024-09-03T02:24:18+00:00","breadcrumb":{"@id":"https:\/\/conference.hitb.org\/hitbsecconf2024bkk\/session\/commsec-coralraider-targets-victims-data-and-social-media-accounts\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/conference.hitb.org\/hitbsecconf2024bkk\/session\/commsec-coralraider-targets-victims-data-and-social-media-accounts\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/conference.hitb.org\/hitbsecconf2024bkk\/session\/commsec-coralraider-targets-victims-data-and-social-media-accounts\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/conference.hitb.org\/hitbsecconf2024bkk\/"},{"@type":"ListItem","position":2,"name":"Session","item":"https:\/\/conference.hitb.org\/hitbsecconf2024bkk\/session\/"},{"@type":"ListItem","position":3,"name":"COMMSEC: CoralRaider Targets Victims Data and Social Media Accounts"}]},{"@type":"WebSite","@id":"https:\/\/conference.hitb.org\/hitbsecconf2024bkk\/#website","url":"https:\/\/conference.hitb.org\/hitbsecconf2024bkk\/","name":"HITBSecConf2024 - Bangkok","description":"August 26 - 30 @ InterContinental","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/conference.hitb.org\/hitbsecconf2024bkk\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"}]}},"_links":{"self":[{"href":"https:\/\/conference.hitb.org\/hitbsecconf2024bkk\/wp-json\/wp\/v2\/session\/14908"}],"collection":[{"href":"https:\/\/conference.hitb.org\/hitbsecconf2024bkk\/wp-json\/wp\/v2\/session"}],"about":[{"href":"https:\/\/conference.hitb.org\/hitbsecconf2024bkk\/wp-json\/wp\/v2\/types\/session"}],"wp:attachment":[{"href":"https:\/\/conference.hitb.org\/hitbsecconf2024bkk\/wp-json\/wp\/v2\/media?parent=14908"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}