April 24, 2024 at 09:15AM
Cisco’s Talos security research unit warns of threat actor CoralRaider using information stealers to target users worldwide and harvest credentials and financial data. The threat actor, likely of Vietnamese origin, has been active since at least 2023 and has been targeting users with a combination of three information stealers—Cryptbot, LummaC2, and Rhadamanthys—since February 2024. The attacks have impacted users from various countries including the US, UK, and Japan and involve phishing emails and malicious links to trigger a multi-stage infection chain. These information stealers are designed to exfiltrate sensitive data from various applications and crypto wallets. Cisco notes the possibility of a widespread attack across various business verticals and geographies.
The meeting notes from Cisco’s Talos security research unit reveal that a threat actor known as CoralRaider has been using multiple information stealers to harvest credentials and financial data from users worldwide. The threat actor has been active since at least 2023 and is likely of Vietnamese origin. In addition to using a customized variant of QuasarRAT called RotBot and the XClient stealer, CoralRaider has been targeting users with a combination of three information stealers: Cryptbot, LummaC2, and Rhadamanthys since February 2024.
The attacks have targeted individuals in various countries, including Ecuador, Egypt, Germany, Japan, Nigeria, Norway, Pakistan, the Philippines, Poland, Syria, Turkey, the UK, and the US. Some of the affected users were identified as users of computer service call center organizations in Japan and civil defense service organizations in Syria. The threat actor has utilized phishing emails containing malicious links to distribute ZIP archives containing crafted shortcut files that trigger a multi-stage infection chain involving PowerShell scripts and loaders designed to evade detection and execute the information stealers.
CryptBot, first seen in 2019, targets browsers, cryptocurrency wallets, and can take screenshots on infected systems. LummaC2, available via underground markets for years, can harvest system details and sensitive information from various applications. Rhadamanthys, dating back to 2022, can steal credentials from browsers and other applications, including chat, email, and VPN clients, as well as cryptocurrency wallets. The meeting notes also mention that the threat actor has been storing malicious files on a Content Delivery Network (CDN) cache to avoid detection.
This represents a significant cybersecurity threat affecting users from various business verticals and geographies. The potential widespread nature of the attacks, as well as the sophisticated methods employed by the threat actor, underscores the importance of robust security measures and ongoing vigilance to safeguard against such threats.