Infosec Watchtower Logo

CoralRaider: Unveiling the New Cybercrime Syndicate Targeting Social Media Accounts in Asia

Charles M. Walls | April 9, 2024 | Views: 204

A digital cybercrime concept art showing a hacker in a dark room with multiple computer screens displaying code and social media logos, such as Facebook.

A newly identified cybercrime group from Vietnam, dubbed CoralRaider, has been actively targeting individuals and organizations throughout Asia, attempting to commandeer social media accounts and pilfer user data. Emerging in late 2023, CoralRaider utilizes social engineering alongside legitimate services to siphon data, while also developing unique malware tools for infecting victims' systems. Despite their savvy, the group has committed fundamental errors, such as accidentally compromising their own devices, which has inadvertently shed light on their operations, according to Cisco's Talos threat intelligence team.

Chetan Raghuprasad, a security research technical leader at Talos, indicates that unlike other Vietnamese cyber groups, CoralRaider does not seem to be government-affiliated. Instead, their main objective is profit, specifically through hijacking business and advertising accounts on social media. "While we've yet to observe delivery of other malware types, the risk of subsequent attacks remains a concern," he commented.

The notorious OceanLotus group, another entity from Vietnam, targets governments, activists, and journalists across Southeast Asia, but CoralRaider's motivations are strictly financial. Raghuprasad adds, "Currently, there's no evidence to suggest any governmental collaboration with CoralRaider."

CoralRaider's typical attack involves a deceptive Windows shortcut (.LNK) file disguised with a .PDF extension, designed to trick victims into activation. This initiates a multi-stage attack process beginning with the download and execution of an HTML application (HTA) file from a server under the attackers' control. This leads to a VB script launching a PowerShell script, which executes additional scripts designed to bypass security measures and cloak the malware's presence.

The final payload, RotBot, scans the system and retrieves a configuration file, which in turn downloads XClient. This secondary payload harvests a wide array of data, from social media logins to financial information, and even takes desktop screenshots for upload. Notably, the malware targets Vietnamese users specifically, with stolen data labeled in Vietnamese before being exfiltrated.

Additionally, the group employs an automated Telegram bot for both command and control functions, and data extraction, which was discovered when researchers found a compromised machine belonging to the attackers themselves. Analysis of this machine revealed links to underground Vietnamese Telegram groups involved in trading stolen data.

Sakshi Grover, a research manager at IDC's Cybersecurity Services in the Asia/Pacific, notes that while Vietnam was traditionally less known for cybercrime, its swift digital transformation has increased vulnerability to such threats. "With varying economic conditions across the country, cybercrime has become a lucrative alternative for many skilled individuals," she states.

As digital defenses continue to evolve, the emergence of groups like CoralRaider serves as a reminder of the persistent and evolving threat of cybercrime, particularly in regions undergoing rapid technological change.

Source of Inspiration