Vietnamese Threat Actor Targeting Financial Data Across Asia
Cybercrime , Fraud Management & Cybercrime
CoralRaider Looks for Social Media Accounts That Contain Payment Information
Vietnamese financially motivated hackers are targeting businesses across Asia in a campaign to harvest corporate credentials and financial data for resale in online criminal markets.
See Also: H1 2024 – Phishing Frenzy: C-Suite Receives 42x More QR Code Attacks than Average Employee
Researchers at Cisco Talos identified a cluster of hacking activity its tracks as CoralRaider attacking India, China, South Korea, Bangladesh, Pakistan, Indonesia and domestic targets with exfiltration malware.
Talos attributes the group’s origin to Vietnam with high confidence, pointing to the hackers’ use of Vietnamese in their Telegram command-and-control channel and Vietnamese words hard-coded into payload binaries. Its IP address traces to Hanoi.
Hackers use RotBot, a customized remote access tool – a variant of the Quasar RAT – to download an info stealer that looks for business social media accounts containing data such as payment cards.
The group “focuses on stealing victims’ credentials, financial data, and social media accounts, including business and advertisement accounts,” the researchers said.
A CoralRaider attack begins when users open a malicious Windows shortcut file, triggering the infection chain. Talos said it’s not sure how the threat actor delivers the files to victims.
The activated LNK file downloads an HTML application file that executes a Virtual Basic script that in turn executes a PowerShell script in the memory “which decrypts and sequentially executes three other PowerShell scripts that perform anti-VM and anti-analysis checks, bypass the User Access Controls, disable the Windows and application notifications on the victim’s machine, and finally download and run the RotBot.”
The XClient info stealer loaded by RotBot collects data including cookies, credentials and financial information from web browsers including Brave, Cốc Cốc, Google Chrome, Microsoft Edge, Mozilla Firefox and Opera, as well as Discord and Telegram.
XClient also targets data from victims’ Facebook, Instagram, TikTok and YouTube accounts and gathers details about payment methods and permissions associated with their Facebook business and advertising accounts.