CoralRaider Campaign Spreads Malware Disguised

According to a recent report by Cisco Talos, the CoralRaider group is utilizing CDN platforms to disseminate malware in the United States, the United Kingdom, Germany, and Japan. The campaign aims to pilfer credentials, financial information, and social media accounts. CoralRaider employs widely available infostealers such as LummaC2, Rhadamanthys, and Cryptbot, which are distributed under a Ransomware-as-a-Service (RaaS) model. Based on the analysis of previous attacks, experts attribute the CoralRaider campaign with “moderate confidence.”

The infection process begins when a victim opens an archive containing a malicious LNK shortcut, which downloads and executes an encrypted HTA application from a hacker-controlled subdomain on the CDN platform. By leveraging the CDN cache as a delivery server for the malware, the hacker avoids request delays and circumvents network security.

Subsequently, a series of PowerShell scripts and auxiliary utilities such as FoDHelper.exe modify system settings to bypass User Access Control (UAC) and add exceptions for Windows Defender.

The versions of malware used incorporate new features, including:

  • Intercepting data from RDP sessions and restoring “expired” Google account cookies (LummaC2 and Rhadamanthys);
  • Advanced obfuscation and anti-analysis mechanisms (LummaC2 and Rhadamanthys);
  • An expanded list of target applications, including password managers and authentication apps, posing a threat to cryptocurrency wallets with two-factor authentication (CryptBot).

Researchers believe that the CoralRaider group, presumably based in Vietnam, has been active since 2023 and previously used a Telegram bot for control and data exfiltration. Although past attacks predominantly targeted Asian and Southeast Asian countries, recent operations have expanded their reach to include the USA, Nigeria, Pakistan, Ecuador, Egypt, the United Kingdom, Poland, the Philippines, Norway, Japan, Syria, and Turkey.