A threat actor has been using a content delivery network cache to store information-stealing malware in an ongoing campaign targeting systems U.S., the U.K., Germany, and Japan.
Researchers believe that behind the campaign is CoralRaider, a financially motivated threat actor focused on stealing credentials, financial data, and social media accounts.
The hackers deliver LummaC2, Rhadamanthys, and Cryptbot info stealers that are available on underground forums from malware-as-a-service platforms for a subscription fee.
Cisco Talos assesses with moderate confidence that the campaign is a CoralRaider operation, based on similarities in tactics, techniques, and procedures (TTPs) with past attacks attributed to the threat actor.
Hints pointing to CoralRaider include the initial attack vectors, the use of intermediate PowerShell scripts for decryption and payload delivery, and specific methods to bypass User Access Controls (UAC) on victim machines.
CoralRaider infection chain
Cisco Talos reports that the latest CoralRaider attacks start with the victim opening an archive containing a malicious Windows shortcut file (.LNK).
It is unclear how the archive is delivered but it could be as an attachment to a malicious email, as a download from an untrusted location, or promoted through malvertising.
The LNK contains PowerShell commands that download and execute a heavily obfuscated HTML Application (HTA) file from an attacker-controlled subdomain on the Bynny content delivery network (CDN) platform.
By using the CDN cache as a malware delivery server, the threat actor avoids request delays and also deceives network defenses.
The HTA file contains JavaScript that decodes and runs a PowerShell decrypter script, which unpacks a second script that writes a batch script in a temporary folder. The goal is to remain undetected by modifying Windows Defender exclusions.
A native Windows binary, the FoDHelper.exe LoLBin, is used to edit registry keys and bypass the User Access Control (UAC) security feature.
After this step, the PowerShell script downloads and executes one of the three info stealers (Cryptbot, LummaC2, or Rhadamanthys) that had been added in a location excluded from Defender’s scanning.
Info-stealing payloads
Cisco Talos says CoralRaider uses fairly recent versions of LummaC2 and Rhadamanthys, which in late 2023 added powerful features like capturing RDP logins and reviving expired Google account cookies [1, 2].
Although Cryptbot is less popular, it is a notable threat that infected 670,000 computers in a year.
Cisco Talos says that the variant seen in CoralRaider’s recent attacks was released in January and has better obfuscation and anti-analysis mechanisms, and an expanded list of targeted applications.
Cisco Talos also notes that Cryptbot is also targeting databases for password managers as well as authenticator apps data to steal cryptocurrency wallets protected with two-factor authentication.
CoralRaider has been active since at least 2023 and researchers believe it is based in Vietnam. In a previous campaign, the threat actor relied on a Telegram bot for command-and-control (C2) and to exfiltrate victim data.
Its victims are typically in Asian and Southeast Asian countries. However, the latest operation has extended targeting to the U.S., Nigeria, Pakistan, Ecuador, Germany, Egypt, the U.K., Poland, the Philippines, Norway, Japan, Syria and Turkey.