April 9, 2024 at 12:02AM
A new cybercrime group, CoralRaider, linked to Vietnam, targets individuals and organizations in Asia to steal social media account information and user data. The group relies on social engineering and legitimate services for data exfiltration but has made mistakes. CoralRaider prioritizes financial gain and does not appear to be working with the Vietnamese government. The group’s tactics and motives are detailed in the analysis by Cisco’s Talos threat intelligence group. Vietnam is experiencing an increase in cyber threats, with a rise in account-stealing malware.
From the meeting notes, I have summarized the following key points:
1. The cybercrime group CoralRaider is linked to Vietnam and has targeted individuals and organizations in Asia, aiming to steal social media account information and user data.
2. The group’s activities were exposed due to some rookie mistakes, such as inadvertently infecting their own systems.
3. CoralRaider’s main motive is financial gain, and they are attempting to hijack victims’ social media business and advertising accounts.
4. The group’s multistage infection chain involves using malicious Windows shortcuts, HTML applications, VB scripts, and PowerShell scripts to download and execute malware for data exfiltration and reconnaissance.
5. XClient, the malware used by CoralRaider, steals various user data, including social media account credentials, browser data, credit card information, and takes screenshots of victims’ desktops.
6. The group used an automated bot on the Telegram service as a command-and-control channel and to exfiltrate data from victims’ systems. They also traded victim data on underground markets.
7. Vietnam is facing an increase in cyber threats, and economic conditions in some areas incentivize individuals to engage in cybercrime for financial gain.
Please let me know if you need further information or details on any specific points.