HQ/EMEAFind out how we can help your business
A sophisticated threat group originating from Vietnam has unleashed a wave of malware attacks across multiple Asian and Southeast Asian countries since May 2023, aiming to harvest sensitive financial data and credentials.
Known as CoralRaider, this cybercriminal group operates with a clear financial motivation, targeting nations including India, China, South Korea, Bangladesh, Pakistan, Indonesia, and their home country, Vietnam.
The CoralRaider hackers focus on the theft of valuable credentials, financial records, and social media accounts, including those with business and advertising ties. They deploy a range of malicious software, including a customised variant of Quasar RAT known as RotBot, along with the XClient stealer. This arsenal of malware also includes other tools such as AsyncRAT, NetSupport RAT, and Rhadamanthys, enabling them to gain unauthorised access to victims’ systems and extract critical information.
Their strategy of targeting corporate and advertising accounts is particularly concerning since they use malware families like Ducktail, NodeStealer, and VietCredCare to exploit these accounts for additional illicit benefits. Once obtained, the data is sent over Telegram’s encrypted channels to underground marketplaces, where it is sold for profit.
The origins of the CoralRaider, linked to Vietnam, are confirmed through evidence in their communication channels.
Investigators have traced the origins of CoralRaider to Vietnam, substantiated by evidence found in their communication channels on Telegram, as well as Vietnamese language elements embedded within their malware payloads. The attack process typically begins with the distribution of a Windows shortcut file (LNK), leading victims to unwittingly download and execute an HTML application (HTA) file from a server controlled by hackers, which triggers a sequence of PowerShell scripts, ultimately deploying the RotBot malware.
RotBot and XClient are engineered to extract a wide array of sensitive information from victim systems, including login credentials, financial data, and social media activity. Notably, XClient is adept at siphoning data from popular web browsers such as Brave, Cốc Cốc, Google Chrome, Microsoft Edge, Mozilla Firefox, and Opera, as well as messaging platforms like Discord and Telegram, and social media networks including Facebook, Instagram, TikTok, and YouTube.
Separate studies revealed a distinct malvertising operation on Facebook that used generative AI tools to spread various information-stealing malware, including Rilide, Vidar, IceRAT, and the recently discovered Nova Stealer.
These attackers take over legitimate Facebook profiles, changing them to take after respectable AI tools and using sponsored adverts to broaden their reach, with one counterfeit page gaining over 1.2 million followers before being shut down.
The effects of these coordinated cyber attacks are significant, with users across Europe also falling victim to the malvertising campaigns conducted through Facebook’s sponsored ad system. The propagation of such threats underscores the critical importance of robust cybersecurity measures and heightened vigilance in the face of evolving cyber threats.
