April 24, 2024 at 01:39AM
A new malware campaign, linked to threat actor CoralRaider, is distributing multiple stealers via Content Delivery Network (CDN) cache domains. The campaign targets various businesses in different countries, adopting deceptive tactics such as phishing emails and booby-trapped links to propagate malware. The modular PowerShell loader script bypasses User Access Controls (UAC) to deploy stealers like CryptBot, LummaC2, and Rhadamanthys, aimed at stealing sensitive information.
Summary of Meeting Notes:
Date: April 24, 2024
Topic: Newsroom Malware / Data Security
– Ongoing malware campaign distributing three different stealers (CryptBot, LummaC2, Rhadamanthys) observed on Content Delivery Network (CDN) cache domains since at least February 2024.
– Activity attributed to threat actor CoralRaider, with targets spanning across various business verticals and geographies.
– Attack chains involve users downloading files masquerading as movie files via a web browser, potentially leading to a large-scale attack.
– Initial access vector for the drive-by downloads suspected to be phishing emails, utilizing booby-trapped links pointing to ZIP archives containing Windows shortcut (LNK) files.
– Notable use of updated CryptBot with new anti-analysis techniques and ability to capture password manager and authenticator application information.
For more information, follow on Twitter and LinkedIn for exclusive content.