A suspected Vietnamese-origin threat actor has been observed targeting victims in several Asian and Southeast Asian countries with malware designed to harvest valuable data since at least May 2023.
Cisco Talos is tracking the cluster under the name CoralRaider, describing it as financially motivated. Targets of the campaign include India, China, South Korea, Bangladesh, Pakistan, Indonesia, and Vietnam.
“This group focuses on stealing victims’ credentials, financial data, and social media accounts, including business and advertisement accounts,” security researchers Chetan Raghuprasad and Joey Chen said. “They use RotBot, a customized variant of Quasar RAT, and XClient stealer as payloads.”
Other commodity malware used by the group comprises a combination of remote access trojans and information stealers such as AsyncRAT, NetSupport RAT, and Rhadamanthys.
The targeting of business and advertisement accounts has been of particular focus for attackers operating out of Vietnam, with various stealer malware families like Ducktail, NodeStealer, and VietCredCare deployed to take control of the accounts for further monetization.
The modus operandi entails the use of Telegram to exfiltrate the stolen information from victim machines, which is then traded in underground markets to generate illicit revenues.
“CoralRaider operators are based in Vietnam, based on the actor messages in their Telegram C2 bot channels and language preference in naming their bots, PDB strings, and other Vietnamese words hard-coded in their payload binaries,” the researchers said.
Attack chains start with a Windows shortcut file (LNK), although there is currently no clear explanation as to how these files are distributed to the targets.
© Copyright RawNews1st
