A threat group that’s been around since last year and was first identified earlier this month is using three high-profile information stealers in a wide-ranging campaign to harvest credentials, financial information, and cryptocurrency wallets from targets around the world who were downloading the malware that masqueraded as movie files.
Researchers with Cisco’s Talos threat intelligence unit is attributing the attacks to CoralRaider, a financially motivated threat group most likely from Vietnam that they first wrote about earlier this month. The assessment – made with modest confidence – is due to overlaps they found in tactics and techniques with the earlier Rotbot campaign linked to the group.
Those similarities include targeting the Windows Shortcut file for the initial attack vector, the use of an intermediate PowerShell decryptor and payload download scripts, and the FoDHelper technique used to bypass user access controls (UACs).
However, while the earlier campaign targeted victims in Asia and Southeastern Asia, the latest one – which Talos has been tracking since February – has a significantly broader reach, with victims in the United States, Europe – including the UK, Germany, Poland, and Norway – and other regions, like Africa (in Nigeria and Egypt), South America (Ecuador), the Middle East (Syria), and Asia (Japan, the Philippines, and Turkey).
The use of malicious files made to look like movie files, delivered via phishing messages and downloaded through the browser, indicates “the possibility of a widespread attack on users across various business verticals and geographies,” researchers Joey Chen, Chetan Raghuprasad, and Alex Karkins wrote.
“We observe that this threat actor is using a Content Delivery Network (CDN) cache to store the malicious files on their network edge host in this campaign, avoid request delay,” they wrote. “The actor is using the CDN cache as a download server to deceive network defenders.”
In attacks over the past couple of months, CoralRaider is distributing multiple infostealing malware: Cryptbot, LummaC2, and Rhadamanthys.
According to Chen, Raghuprasad, and Karkins, the attack starts with the bad actors sending phishing emails to targets that include malicious links. If a victim opens the malicious shortcut file from a ZIP file using a drive-by download technique, the infection chain begins.
The Windows shortcut file includes an embedded PowerShell command running a malicious HTA file on the CDN domains controlled by CoralRaider, with the heavily obfuscated HTA file executing a JavaScript that run a PowerShell decrypter script. The embedded PowerShell Loader script is run in the system’s memory and uses multiple steps to evade detection and bypass UAC, then downloads and runs one of the information stealers.
The CryptBot stealer has been around since 2019 and targets Windows systems, stealing such sensitive information as credentials from browsers, crypto wallets, browser cookies, and credit card data. It also creates screenshots of the infected system, the researchers wrote.
Talso in January detected a new CryptBot variant, with the same goal but new capabilities, including new techniques for obstructing analysis.
“A few new CryptBot variants are packed with VMProtect V2.0.3-2.13; others also have VMProtect, but with unknown versions,” Chen, Raghuprasad, and Karkins wrote. “The new CryptBot attempts to steal sensitive information from infected machines and modifies the configuration changes of the stolen applications.”
More than a dozen web browsers – such as Mozilla Firefox, Google Chrome, Microsoft Edge, and Opera – are targeted by CryptBot, as are such applications as JEE, KeePass, Google Authenticator, and Authy two-factor authentication (2FA). Almost 40 crypt wallets are in the crosshairs, according to Talos.
The new variant also includes password manager application databases and authenticator application information, enabling it to steal crypto wallets that have 2FA enabled.
CoralRaider also is deploying a new LummaC2 variant. LummaC2, which has been for sale on the underground market for years, harvests information from victims’ machine. CoralRaider modified LummaC2’s capabilities and obfuscated the malware with a custom algorithm. The control-and-command (C2) are encrypted with a symmetric algorithm and the threat group uses nine C2 servers for the malware, which tries to connect to one by one. Each uses a different key to encrypt the C2, the researchers wrote.
Rhadamanthys is an infostealer that has been advertised on an underground forum since September 2022 and continues to evolve, the latest version being released in February. However, CoralRaider delivers an older version, they wrote.
“They threat actor uses a Python executable file as a loader to execute the Rhadamanthys malware into memory,” the researchers wrote. “After decompiling the Python executable file, Python scripts load the Rhadamanthys malware in two stages.”
Rhadamanthys has been on the radar screens of several cybersecurity firms. Malwarebytes researchers in February wrote that Rhadamanthys was first seen early in 2023 being distributed through malicious ads and that malvertising chains were still be used more than a year later.
In December 2023, Check Point analysts said Rhadamanthys was an “information stealer with a diverse set of modules and an interesting multilayered design.” With version 0.5.0, the programmers behind it added a host of new capabilities, including “some general-purpose spying functions,” the Check Point analysts wrote.
Recent Articles By Author