A new cybercrime group linked to Vietnam has targeted individuals and organizations in Asia, attempting to steal information about social media accounts and user data.
CoralRaider, which first appeared in late 2023, relies heavily on social engineering and legitimate services for data exfiltration and develops customized tools to load malware onto victims’ systems. But the group also made some rookie mistakes, such as inadvertently infecting their own systems, which exposed their activities, threat researchers from Cisco’s Talos threat intelligence group said in a new analysis on CoralRaider.
Although Vietnam has become increasingly active in cyber operations, this group does not appear to be cooperating with the government, says Chetan Raghuprasad, technical leader of security research for Cisco’s Talos group.
“The main priority is financial gain and the actor is attempting to hijack the victim’s social media and advertising business.[ing] account,” he says. “Potential exposure to subsequent attacks, including distribution of other malware, is also possible. Our research has not found any examples of other payloads being delivered.”
Vietnamese threat actors often focus on social media. THE infamous group OceanLotus – also known as APT32 – has attacked other governments, dissidents and journalists in Southeast Asian countries, including Vietnam. An army-associated group, Force 47, linked to the official Vietnamese army television station. regularly attempts to influence social media groups.
CoralRaider, however, appears to be linked to profit motives rather than nationalist agendas.
“At this time, we have no evidence or information to suggest that CoralRaider is cooperating with the Vietnamese government,” Raghuprasad says.
Multistage infection chain
A CoralRaider campaign typically begins with a Windows shortcut (.LNK) file, often using a .PDF extension in an attempt to trick the victim into opening the files. according to Cisco analysis. Next, attackers go through a series of stages in their attack:
-
The Windows shortcut downloads and executes an HTML application (HTA) file from an attacker-controlled server
-
The HTA file runs an embedded Visual Basic script
-
The VB script runs a PowerShell script, which then runs three other PowerShell scripts, including a set of anti-scanning checks to detect whether the tool is running in a virtual machine, a bypass for the system’s user access controls, and a code which disables any notifications to the user
-
The final script runs RotBot, a loader that performs detection evasion, conducts reconnaissance on the system, and downloads a configuration file
-
RotBot then typically downloads XClient, which collects a variety of user data from the system, including social media account credentials
In addition to credentials, XClient also steals browser data, credit card account information, and other financial data. Finally, XClient takes a screenshot of the victim’s desktop and uploads it.
Meanwhile, according to researchers, there are indications that attackers have also targeted people in Vietnam.
“THE [XClient] “The stealer function maps the stolen victim’s information into hard-coded Vietnamese words and writes it to a text file in the temporary folder of the victim’s computer before exfiltration,” the analysis states. “One example function we observed is used to steal the victim’s Facebook Ads account which has hardcoded with Vietnamese words for Account Rights, Threshold, Spent, Time Zone, and Creation Date.”
The CoralRaider group used an automated bot on the Telegram service as a command and control channel and also to extract data from victims’ systems. However, it appears that the cybercriminal group has infected one of its own machines, because Cisco researchers have discovered screenshots of the information published on the channel.
“By analyzing the actor’s desktop images on the Telegram bot, we found some Telegram groups in Vietnamese called ‘Kiém tien tử Facebook, ‘Mua Bán Scan MINI’ and ‘Mua Bán Scan Meta,’” Cisco Talos said in the analysis . “Monitoring of these groups revealed that they were clandestine markets where, among other activities, victim data was exchanged.”
CoralRaider’s arrival on the cyber threat scene is unsurprising: Vietnam is currently facing an increase in threats from account-stealing malware, says Sakshi Grover, research manager in IDC’s Cybersecurity Services group for the Asia/Pacific region.
“Although historically less associated with cybercrime than other Asian nations, Vietnam’s rapid adoption of digital technologies has made it more susceptible to cyber threats,” he says. “Advanced persistent threats (APTs) are increasingly targeting government agencies, critical infrastructure and enterprises, using sophisticated techniques such as custom malware and social engineering to infiltrate systems and steal sensitive data.”
Because economic conditions vary across Vietnam – with some areas having limited job opportunities, resulting in low wages for highly skilled roles – individuals may be incentivized to engage in cybercrime to make money, Grover says.