In recent findings, Cisco Talos has uncovered a new threat actor, dubbed “CoralRaider,” believed to originate from Vietnam and driven by financial motivations. Operating since at least 2023, CoralRaider has targeted victims primarily across Asian and Southeast Asian countries, focusing on the theft of credentials, financial data, and social media accounts, including business and advertisement profiles.The group employs sophisticated tactics, leveraging customized variants of known malware such as RotBot (a modified version of QuasarRAT) and the XClient stealer as primary payloads in their campaigns. Notably, CoralRaider utilizes the dead drop technique, utilizing legitimate services to host C2 configuration files and uncommon living-off-the-land binaries (LoLBins) like Windows Forfiles.exe and FoDHelper.exe.
In a recent discovery made by Talos in February 2024, CoralRaider has initiated a new campaign distributing renowned infostealer malware, including Cryptbot, LummaC2, and Rhadamanthys. Employing innovative tactics, the threat actor embeds PowerShell command-line arguments within LNK files to evade antivirus detection and facilitate payload downloads onto victim hosts.Furthermore, the campaign utilizes Content Delivery Network (CDN) cache domains as download servers for hosting malicious HTA files and payloads, adding another layer of complexity to their operations. Talos assesses with moderate confidence that CoralRaider is behind this campaign, noting overlaps in tactics, techniques, and procedures (TTPs) observed in previous Rotbot campaigns. These include the utilization of Windows Shortcut files as initial attack vectors, intermediate PowerShell decryptors, and FoDHelper techniques to bypass User Access Controls (UAC) on victim machines.
This research sheds light on the evolving tactics of CoralRaider and underscores the importance of continuous threat intelligence to combat emerging cyber threats effectively. Understanding the modus operandi of such threat actors is crucial for bolstering defenses and mitigating risks in today’s cybersecurity landscape.
===
Joey Chen is working as a Cyber Threat Researcher for CISCO Talos Incorporated in Taiwan. His major areas of research include incident response, APT investigation, malware analysis and cryptography analysis. He not only has been a speaker at HITB, Virus Bulletin, AVAR, CODEBLUE, DeepIntel, HITCON and CYBERSEC conferences but also got 2018 Training Ambassador & Trainer prize in TrendMicro. Now he is focusing on the security issues of target attack, emerging threats and IOT systems. He also develops an automation intelligence platform to help his team get more sleep at night.
----
Chetan Raghuprasad is a cyber threat researcher with Cisco Talos, focusing on hunting and researching the latest threats in the cyber threat landscape and generating actionable intelligence. He seeks to uncover threat actors’ tactics, techniques, and procedures by reversing and analysing the threats. Chetan also publicly represents Cisco Talos by writing blogs and talking at cybersecurity conferences worldwide. Chetan Raghuprasad has 15 years of professional experience with expertise in Threat research and Malware analysis, cyber incident response, and digital forensic analysis, and has worked in technology, consulting, and financial institutions. He is a CISSP-certified and SANS-certified Malware Reverse Engineer.