Human rights activists in Morocco and the Western Sahara region are the targets of a new threat actor that leverages phishing attacks to trick victims into installing bogus Android apps and serve credential harvesting pages for Windows users.
Cisco Talos is tracking the activity cluster under the name Starry Addax, describing it as primarily singling out activists associated with

Hackers Targeting Human Rights Activists in Morocco and Western Sahara

Cisco Talos is disclosing a new threat actor we deemed “Starry Addax” targeting mostly human rights activists, associated with the Sahrawi Arab Democratic Republic (SADR) cause with a novel mobile malware.

*   Cisco Talos is disclosing a new threat actor we deemed “Starry Addax” targeting mostly human rights activists associated with the Sahrawi Arab Democratic Republic (SADR) cause with a novel mobile malware. 
*   Starry Addax conducts phishing attacks tricking their targets into installing malicious Android applications we’re calling “FlexStarling.” 
*   For Windows-based targets, Starry Addax will serve credential-harvesting pages masquerading as login pages from popular media websites. 

_Talos would like to thank the Yahoo! Paranoids Advanced Cyber Threats Team for their collaboration in this investigation._ 

**Starry Addax has a special interest in Western Sahara**

The malicious mobile application (APK), “FlexStarling,” analyzed by Talos recently masquerades as a variant of the Sahara Press Service (SPSRASD) App. The Sahara Press Service is a media agency associated with the Sahrawi Arab Democratic Republic. The malware will serve content in the Spanish language from the SPSRASD website to look legitimate to the victim. However, in actuality, FlexStarling is a highly versatile malware capable of deploying additional malware components and stealing information from the infected devices. 

 Splash screen for the malicious application.

Starry Addax’s infrastructure can be used to target Windows- and Android-based users. This campaign's infection chain begins with a spear-phishing email sent to targets, consisting of individuals of interest to the attackers, especially human rights activists in Morocco and the Western Sahara region. The email contains content that requests the target to install the Sahrawi News Agency’s Mobile App or include a topical theme related to the Western Sahara.  

Some examples of the subject lines of the phishing emails consist of: 

طلب تثبيت التطبيق على هواتف متابعي وكالة الأنباء الصحراوية 

Request to install the application on the phones of Sahrawi News Agency followers 

الوفد برلماني الأوروبي يدلي بتصريحات 

The European Parliament delegation makes statements 

الوفد برلماني يدلي بتصريحات 

A parliamentary delegation makes statements 

عاجل وبالفيديو ونقلاً عن جريدة إلبايس 

Urgent, video, and quoted from El Pais newspaper 

The email originating from an attacker-owned domain, ondroid\[.\]site, consists of a shortened link to an attacker-controlled website and domain. Depending on the requestor’s operating system, the website will either serve the FlexStarling APK for Android devices or redirect the victim to a social media login page to harvest their credentials. The links observed by Talos so far are:  

www\[.\]ondroid\[.\]store/aL2mohh1 

www\[.\]ondroid\[.\]store/ties5shizooQu1ei/ 

**Starry Addax likely to escalate momentum **

Campaigns like this that target high-value individuals usually intend to sit quietly on the device for an extended period. All components from the malware to the operating infrastructure seem to be bespoke/custom-made for this specific campaign indicating a heavy focus on stealth and conducting activities under the radar. The use of FlexStarling with a Firebase-based C2 instead of commodity malware or commercially available spyware indicates the threat actor is making a conscious effort to evade detections and operate without being detected. 

The timelines connected to various artifacts used in the attacks indicate that this campaign is just starting and may be in its nascent stages with more infrastructure and Starry Addax working on additional malware variants. 

**FlexStarling – A highly capable implant **

The FlexStarling malware app requests a plethora of permissions from the Android OS to extract valuable information from the infected mobile device. The following list contains the permissions acquired by FlexStarling via its AndroidManifest\[.\]xml: 

Some of these permissions are dynamically requested at runtime: READ\_CALL\_LOG, READ\_EXTERNAL\_STORAGE, READ\_SMS, READ\_CONTACTS, WRITE\_EXTERNAL\_STORAGE, INTERNET, ACCESS\_NETWORK\_STATE, RECORD\_AUDIO, READ\_PHONE\_STATE. 

**Anti-emulation checks **

When the implant runs, it checks the BUILD information for keywords or phrases that indicate that it is running on an emulator or analysis tool. The implant checks for the following keywords: 

*   BUILD\[MANUFACTURER\] does not contain: “Genymotion”. 
*   BUILD\[MODEL\] does not contain any of: “google\_sdk”, “droid4x”, “Emulator”, "Android SDK built for x86" 
*   BUILD\[HARDWARE\] does not contains any of: “goldfish”, “vbox86”, “nox”. 
*   BUILD\[FingerPrint\] does not start with “generic”. 
*   BUILD\[Product\] does not consist of any of: “sdk”, “google\_sdk”, “sdk\_x86”, “vbox86p”, “nox”. 
*   BUILD\[Board\] does not contain: “nox”. 
*   BUILD\[Brand\] or Device does not start with “generic”.  

The implant also checks for the presence of the following emulation/virtualization-related files in the filesystem: 

*   /dev/socket/genyd 
*   /dev/socket/baseband\_genyd 
*   /dev/socket/qemud 
*   /dev/qemu\_pipe 
*   ueventd.android\_x86.rc 
*   X86.prop 
*   ueventd.ttVM\_x86.rc 
*   init.ttVM\_x86.rc 
*   fstab.ttVM\_x86 
*   fstab.vbox86 
*   init.vbox86.rc 
*   ueventd.vbox86.rc 
*   fstab.andy 
*   ueventd.andy.rc 
*   fstab.nox 
*   init.nox.rc 
*   Ueventd.nox.rc 

If none of the keywords or files are found or all checks are passed, the malicious app tries to gain permissions for managing external storage areas (shared storage space) on the device using the permission “MANAGE\_EXTERNAL\_STORAGE”.  The actor wants to gain the ability to read, write, modify, delete and manage files on external storage locations.  

**Stealing information and executing arbitrary code **

The malware obtains command codes and accompanying information from the C2 server. It then generates the MD5 hash string of the command code and compares its list of hardcoded hashes. The corresponding activity is carried out by the implant once a match is found. 

The various commands supported by the sample are: 

Command code MD5 hash 

Decode command code 

Intent 

801ab24683a4a8c433c6eb40c48bcd9d 

Download 

Download a file specified by a URL to the Downloads directory. 

e8606d021da140a92c7eba8d9b8af84f 

unknown 

Copy files from the download's directory to the application package directory 

725888549d44eb5a3a676c018df55943 

unknown 

Decrypt a dex file located in the application package directory and reflectively load it. 

3a884d7285b2caa1cb2b60f887571d6c 

unknown 

Cleanup directories – remove all files: 

*   Cache directory. 
    
*   Application package directory (including “/oat/”). 
    
*   External Cache Directory. 
    

f2a6c498fb90ee345d997f888fce3b18 

Delete 

Delete a specified filepath. 

3e679cff5b3a6f6f8f32aead541a0a12 

Drop 

Upload a local file to the attacker’s dropbox folders using the Dropbox API. 

The ACCESS TOKEN, local filepath and remote upload path is specified by the C2. 

fb84708d32d00fca5d352e460776584c 

DECRYPT 

AES Decrypt a file from the application package directory using the secret key and IV specified and write it to a file named “.EXEC.dex” 

0ba4439ee9a46d9d9f14c60f88f45f87 

check 

Check if a file inside the application package directory exists. 

These commands are supported by accompanying information and consist of the following variables being sent across by the C2: 

**DURL:** Indicates the download URL used by the “Download” command above. 

**APPNAME:** Indicates the filename to use for the destination file during the “Download” command. 

**DEX:** Contains the source file name to be used during the Decrypt (and reflectively load) commands. 

**ky1:** Indicates a value to be used in the context of specific command codes: 

*   Delete = File to be deleted. 
*   Drop = File to be read and uploaded to Dropbox. 
*   DECRYPT = Secret key used for AES decryption. 
*   Check = Filename to be whose presence is to be checked in the application package directory. 

 **ky2:** Indicates a value to be used in the context of specific command codes: 

*   Drop = Remote file location where the local file needs to be uploaded on Dropbox. 
*   DECRYPT = IV used for AES decryption. 

 **ky3:** Indicates a value to be used in the context of specific command codes: 

*   Drop = Dropbox ACCESS TOKEN value to be used during file upload. 
*   DECRYPT = IV used for AES decryption. 

 **fl:** Filename used during the DEX reflective load process.  

**ky4:** Used as a parameter during reflective loading of the DEX file. 

**ky5:** Secret key used for AES decryption as part of the implant’s DEX decrypt and reflective load. 

**ky6:** IV used for AES decryption as part of the implant’s DEX decrypt and reflective load. 

**ky7**: Contains the source file name to be used during the AES decryption as part of the implant’s DEX decrypt and reflective load. 

**Coverage **

Ways our customers can detect and block this threat are listed below. 

Cisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware detailed in this post. Try Secure Endpoint for free here. 

Cisco Secure Web Appliance web scanning prevents access to malicious websites and detects malware used in these attacks. 

Cisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of their campaign. You can try Secure Email for free here. 

Cisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat Defense Virtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this threat. 

Cisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco Secure products. 

Umbrella, Cisco's secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and URLs, whether users are on or off the corporate network. Sign up for a free trial of Umbrella here. 

Cisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites and tests suspicious sites before users access them. 

Additional protections with context to your specific environment and threat data are available from the Firewall Management Center. 

 Cisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your network. 

 Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org. 

**IOCs **

IOCs for this research can also be found at our GitHub repository here. 

**Hashes **

f7d9c4c7da6082f1498d41958b54d7aeffd0c674aab26db93309e88ca17c826c 

ec2f2944f29b19ffd7a1bb80ec3a98889ddf1c097130db6f30ad28c8bf9501b3 

**Network IOCs **

hxxps\[://\]runningapplications-b7dae-default-rtdb\[.\]firebaseio\[.\]com 

ondroid\[.\]site 

ondroid\[.\]store 

bit\[.\]ly/48wdj1m 

www\[.\]ondroid\[.\]store/aL2mohh1 

bit\[.\]ly/48E4W3N 

www\[.\]ondroid\[.\]store/ties5shizooQu1ei/

Starry Addax targets human rights defenders in North Africa with new malware

A man has pleaded guilty to assuming someone else's identity for 35 years.

Sometimes the consequences of a stolen identity exceed anything you could have imagined.

Matthew David Keirans, a 58-year-old former hospital employee has pleaded guilty to assuming another man’s identity since 1988. He was convicted of one count of making a false statement to a National Credit Union Administration insured institution and one count of aggravated identity theft.

The man whose identity he assumed—William Donald Woods—and Keirans worked together in 1988 at a hot dog cart in Albuquerque.

Keirans was wanted for theft, so he used Woods’ identity “in every aspect of his life,” including obtaining employment, insurance and official documents, and even paying taxes under Wood’s name, according to a plea agreement signed by Keirans. He even fathered a child, whose last name is Woods.

In 1990, Keirans obtained a fraudulent Colorado identification card with Woods’ name and birthday. He used the ID to get a job at a fast-food restaurant and to get a Colorado bank account. He bought a car for $600 in 1991, using Wood’s name, with two $300 checks that bounced.

It wasn’t the first time Keirans had committed car theft. When he was 16, he stole a car after running away from his adoptive parents’ home in San Francisco.

In 2012, Keirans fraudulently acquired a copy of Woods’ birth certificate from the state of Kentucky using information he found about Woods’ family on Ancestry.com.

Under the assumed identity, Keirans also worked as a systems architect for the University of Iowa Hospital where he was fired for misconduct related to the identity theft investigation.

Meanwhile, the real William Woods was homeless and living in Los Angeles, when he discovered that someone was using his credit and had accumulated a lot of debt. Woods didn’t want to pay the debt and so went after the account numbers for any accounts he had open so he could close them. He handed a bank employee his real Social Security card and an authentic California Identification card, which matched the information the bank had on file. But because there was a large amount of money in the accounts, the bank employee asked Woods a series of security questions that he was unable to answer.

At that point, the bank employee called Keirans, whose phone number was associated with the accounts. He was able to answer the security questions correctly and stated that no one in California should have access to the accounts.

So, the bank employee called the police and after an investigation, the real Woods was arrested and charged with identity theft and false impersonation, under a misspelling of Keirans’ name: Matthew Kierans.

Because Woods refused to give up his own identity, a judge ruled in February 2020 that he was not mentally competent to stand trial and he was sent to a mental hospital in California, where he received psychotropic medication and other mental health treatment.

For legal reasons, Woods pleaded no contest to the identity theft charges—meaning he accepted the conviction but did not admit guilt—and was sentenced to two years imprisonment with credit for the two years he already served in the county jail and the hospital and was released.

But he didn’t give up his fight for his identity even though the judge ordered him to stop using the name William Woods. He attempted to regain his identity by filing customer disputes with financial organizations to clear his credit report.

It wasn’t until a police detective tested Woods’ biological father’s DNA against Woods’ DNA. Both men had the same birth certificate with the father’s name on it. The DNA test proved Woods was the man’s son. During a follow-up interview Keirans made a mistake and eventually confessed to the prolonged identity theft, according to court documents.

Keirans was indicted on five counts of making a false statement to a National Credit Union Administration insured institution and two counts of aggravated identity theft. He pleaded guilty to one count of each charge, and the other counts were dropped.

A sentence ruling has not yet been scheduled. Keirans is currently in the custody of the US Marshals Service, according to a news release about his plea.

**We don’t just report on threats – we help safeguard your entire digital identit**y

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection.

 35-year long identity theft leads to imprisonment for victim 

With a complex attack chain and using Telegram for its command and control, CoralRaider targets victims in Asian countries — and appears to have accidentally infected itself as well.

Source: incamerastock via Alamy Stock Photo

A newcomer cybercrime group linked to Vietnam has targeted individuals and organizations in Asia, attempting to steal social media account information and user data.

CoralRaider, which first appeared in late 2023, relies heavily on social engineering and legitimate services for data exfiltration, and it develops custom tools for loading malware onto victim systems. Yet the group has also made some rookie mistakes, such as inadvertently infecting their own systems, which exposed their activities, threat researchers with Cisco's Talos threat intelligence group stated in a new analysis on CoralRaider.

While Vietnam has become increasingly active in cyber operations, this group does not appear to be working with the government, says Chetan Raghuprasad, security research technical leader for Cisco's Talos group.

"The main priority is financial gain, and the actor is attempting to hijack the victim’s social media business and advertis\[ing\] accounts," he says. "The potential exposure for follow-on attacks, including delivering other malware, is also possible. Our research has not seen any examples of other payloads being delivered."

Vietnam threat actors frequently focus on social media. The infamous OceanLotus group — also known as APT32 — has attacked other governments, dissidents, and journalists in Southeast Asian countries, including in Vietnam. A military-associated group, Force 47 — linked to the Vietnamese army's official television station — regularly attempts to influence social media groups.

CoralRaider, however, appears to be connected to profit motives rather than nationalist agendas.

"At this moment, we do not have any evidence or information on signs of CoralRaider working with the Vietnamese government," Raghuprasad says.

**Multistage Infection Chain**

A CoralRaider campaign typically starts with a Windows shortcut (.LNK) file, often using a .PDF extension in an attempt to fool the victim into opening the files, according to the Cisco analysis. Following that, the attackers move through a series of stages in their attack:

1.  Windows shortcut downloads and executes an HTML application (HTA) file from an attacker-controlled server
    
2.  HTA file executes an embedded Visual Basic script
    
3.  VB script executes a PowerShell script, which then runs three more PowerShell scripts, including a series of anti-analysis checks to detect if the tool is running in a virtual machine, a bypass for the system's User Access Controls, and code that disables any notifications to the user
    
4.  Final script runs RotBot, a loader that performs detection evasion, conducts reconnaissance on the system, and downloads a configuration file
    
5.  RotBot then typically downloads XClient, which collects a variety of user data from the system, including social media account credentials
    

In addition to credentials, XClient also steals browser data, credit card account information, and other financial data. And lastly, XClient takes a screenshot of the victim's desktop and uploads it.

Meanwhile, the researchers say there are indications that the attackers had targeted individuals in Vietnam as well.

"The \[XClient\] stealer function maps the stolen victim's information to hardcoded Vietnamese words and writes them to a text file on the victim machine's temporary folder before exfiltration," the analysis stated. "One example function we observed is used to steal the victim's Facebook Ads account that has hardcoded with Vietnamese words for Account rights, Threshold, Spent, Time Zone, and Date Created."

**Shooting Themselves in the Foot**

The CoralRaider group used an automated bot on the Telegram service as a command-and-control channel and as well as to exfiltrate data from victims' systems. However, the cybercriminal group appears to have infected one of their own machines, because the Cisco researchers discovered screenshots of the information posted to the channel.

"Analyzing the images of the actor's Desktop on the Telegram bot, we found a few Telegram groups in Vietnamese named 'Kiém tien tử Facebook, 'Mua Bán Scan MINI,' and 'Mua Bán Scan Meta,'" Cisco Talos stated in the analysis. "Monitoring these groups revealed that they were underground markets where, among other activities, victim data was traded."

CoralRaider's arrival on the cyber threat scene is not surprising: Vietnam is currently facing an increase in threats from account-stealing malware, says Sakshi Grover, research manager in IDC's Cybersecurity Services group for the Asia/Pacific region.

"While historically less associated with cybercrime compared to other Asian nations, Vietnam's rapid adoption of digital technologies has made it more susceptible to cyber threats," she says. "Advanced persistent threats (APTs) are increasingly targeting government entities, critical infrastructure, and businesses, utilizing sophisticated techniques like custom malware and social engineering to infiltrate systems and steal sensitive data."

Because economic conditions vary across Vietnam — with some areas experiencing limited job opportunities, resulting in low wages for highly skilled roles — individuals can be incentivized to engage in cybercrime to make money, Grover says.

**About the Author(s)**

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.

Vietnamese Cybercrime Group CoralRaider Nets Financial Data

So far this year, Ivanti has disclosed a total of 10 flaws — many of them critical — in its remote access products, and one in its ITSM product.

Source: garagestock via Shutterstock

Ivanti CEO Jeff Abbott this week said his company will completely revamp its security practices even as the vendor disclosed another fresh set of bugs in its vulnerability-riddled Ivanti Connect Secure and Policy Secure remote access products.

In an open letter to customers, Abbott committed to a series of changes the company will make in the coming months to transform its security operating model following a relentless barrage of bug disclosures since January. The promised fixes include a complete do-over of Ivanti's engineering, security, and vulnerability management processes and implementation of a new secure-by-design initiative for product development.

**A Thorough Overhaul**

"We have challenged ourselves to look critically at every phase of our processes, and every product, to ensure the highest level of protection for our customers," Abbott said, in his statement. "We have already begun applying learning from recent incidents to make immediate improvements to our own engineering and security practices."

Some of the specific steps include embedding security into every stage of the software development life cycle and integrating new isolation and anti-exploit features in its products to minimize the potential impact of software vulnerabilities. The company will also improve its internal vulnerability discovery and management process and increase incentives for third-party bug hunters, Abbott said.

In addition, Ivanti will make more resources available to customers for finding vulnerability information and associated documentation and is committed to greater transformation and information sharing with customers, he added.

How much these commitments will help stem growing customer disenchantment with Ivanti remains unclear given the company's recent security track record. In fact, Abbot's comments came one day after Ivanti disclosed four new bugs in its Connect Secure and Policy Secure gateway technologies and issued patches for each of them.

The disclosure followed a similar incident less than two weeks ago that involved two bugs in Ivanti's Standalone Sentry and Neuron's for ITSM products. Ivanti so far has disclosed a total of 11 vulnerabilities — including the four this week — in its technologies since Jan. 1. Many of them have been critical flaws — at least two were zero-days — in the company's remote access products, which attackers, including advanced persistent threat actors such as "Magnet Goblin," have exploited in mass fashion. Concern over the potential for major breaches from some of these bugs prompted the US Cybersecurity and Infrastructure Security Agency (CISA) in January to order all civilian federal agencies to take their Ivanti systems offline and not reconnect the devices until fully remediated.

Security researcher and IANS Research faculty member Jake Williams says the vulnerability disclosures have prompted serious questions from Ivanti's customers. "Based on conversations I'm having, especially with Fortune 500 clients, I honestly think it's a bit of too little, too late," he says. "The time to publicly make this commitment was more than a month ago." There is no question that the issues with the Ivanti VPN appliance (formerly Pulse) are making CISOs question the security of Ivanti's many other products, he says.

**A Fresh Set of 4 Bugs**

The four new bugs Ivanti disclosed this week included two heap overflow vulnerabilities in the IPSec component of Connect Secure and Policy Secure, both of which the company characterized as high-severity risk for customers. One of the vulnerabilities, tracked as CVE-2024-21894, gives unauthenticated attackers a way to run arbitrary code on affected systems. The other, assigned as CVE-2024-22053, allows an unauthenticated remote attacker to read the contents from system memory under certain conditions. Ivanti described both vulnerabilities as allowing attackers to send maliciously crafted requests to trigger denial of service conditions.

The other two flaws — CVE-2024-22052 and CVE-2024-22023 — are two medium-severity vulnerabilities that attackers can exploit to cause denial-of-service conditions on affected systems. Ivanti said that as of April 2, it was not aware of any exploit activity in the wild targeting the vulnerabilities.

The steady stream of bug disclosures has raised questions about the risk that Ivanti's products pose to more than 40,000 customers worldwide, with some expressing their frustration on forums such as Reddit. Just two years ago, Ivanti's press releases claimed 96 of the Fortune 100 companies as its customers. In the latest release that number has declined nearly 12% to 85 companies. While the attrition might have to do with factors other than just security, some Ivanti rivals have begun to sense an opportunity. Cisco, for instance, has begun offering incentives — including a 90-day free trial — to try and get Ivanti VPN customers to migrate to its Secure Access platform so they can "mitigate risk" from Ivanti's products.

**Acquisition Related Problems?**

Eric Parizo, an analyst with Omdia, says at least some of Ivanti's challenges have to do with the fact that the company's product portfolio is the sum of numerous past acquisitions. "The original products were developed at different times by different companies for different purposes using varying methods. This means the software quality, in particular with regard to software security, can be dramatically uneven," he says.

 Parizo says what Ivanti is doing now with its commitment towards improving security processes and procedures across the board is a step in the right direction. "I would also like to see the vendor indemnify its customers for damages directly resulting from these vulnerabilities, as that will help restore confidence in future purchases," he says. "Perhaps the one saving grace for Ivanti is that customers are so used to this sort of event, with cybersecurity vendors suffering countless similar incidents in recent years, that customers are more likely to forgive and forget."

**About the Author(s)**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

Ivanti Pledges Security Overhaul the Day After 4 More Vulns Disclosed

An April 2023 study from Kent State University found that remote workers are more likely to be vigilant of security threats and take actions to ward them off than their in-office counterparts.

Thursday, April 4, 2024 14:00

As my manager knows, I’m not the biggest fan of working in a physical office. I’m a picky worker — I like my workspace to be borderline frigid, I hate dark mode on any software, and I want any and all lighting cranked all the way up.  

So, know that I’m biased going into this, but I also can’t get over the idea that companies are using cybersecurity as an excuse to create return-to-office policies in 2024.  

I started thinking about this because of the video game developer Rockstar, which owns some of the largest video game franchises on the planet like Red Dead Redemption and Grant Theft Auto. 

The company recently started asking its employees to return to its physical office five days a week in the name of productivity and security as the company pushes to finish its highly anticipated title “Grand Theft Auto VI.”  

Rockstar has long faced a number of cybersecurity concerns over the years, including a massive leak featuring early, in-progress gameplay of GTA VI in 2022 and other sensitive data. The attack was eventually attributed to the Lapsus$ group, and the perpetrator was eventually charged and sentenced. The first reveal trailer for the game was also leaked ahead of time.  

Many other companies have started to implement return-to-office policies over the past two years, citing various things ranging from worker productivity to interpersonal camaraderie, real estate costs, and more. I’m willing to hear arguments for all those things, but simply thinking that having employees all in one physical space is going to solve security problems seems far-fetched to me.  

We’ve written and talked about the various ways remote work has influenced cybersecurity since the onset of the COVID-19 pandemic. There’s no doubt that admins have had to implement new login methods, security controls and policies since more workers across the globe started working remotely. But four years into this trend, there’s no excuse to not be prepared to have remote workers anymore. 

An April 2023 study from Kent State University found that remote workers are more likely to be vigilant of security threats and take actions to ward them off than their in-office counterparts.  

The use of multi-factor authentication during the rise in remote work has skyrocketed, but often, this requirement is actually dropped if a user is physically in the office or accessing an on-site machine because of the perceived security of being in the office.  

The perceived security of a physical office can sometimes lull admins into a false sense of security, too, because machines located on-site may lack pre-boot authentication or encryption that’s commonly found on remote workers’ devices.  

I’m not saying that working in an office is inherently less secure than remote work, but I do believe that the risks are essentially the same. Regardless of where an employee is working from, they should be using app-based MFA to access all their services. Sensitive software and hardware should rely on passkeys or physical token access rather than outdated password policies that create easy-to-guess or shareable text-based passwords.  

And if security is the name of the game when asking employees to come back into the office, there’s still going to be a monetary investment that comes with that, too. 

Cisco’s recently published Global Hybrid Work study found that only 28 percent of responding employees say they would rank their employers’ office’s “Privacy and security features” as “very well.” To me, that says that even if employers want workers back in the office, they still need to upgrade their security, which is always going to mean more money and greater manpower.  

Security fundamentals should stay the same, no matter where your employees are. And suppose security is a chief concern for a company in wanting to go back to the “traditional” office lifestyle. In that case, I’m willing to bet they still have security gaps to overcome that simply can’t be solved by thinking they’ll be able to keep a closer eye on employees while they’re in the office to keep them from clicking on a phishing email. 

**The one big thing **

Remote system management/desktop access tools such as AnyDesk and TeamViewer have grown in popularity since 2020. While there are many legitimate uses for this software, adversaries are also finding ways to use them for command and control in their campaigns. Cisco Talos Incident Response (Talos IR) has recently seen a spike in actors using this type of software as a method of gaining initial access to a network or to spy on the actions of users. Talos IR noted in its Quarterly Trends report for the third quarter of 2023, “AnyDesk was observed in all ransomware and pre-ransomware engagements \[. . .\], underscoring its role in ransomware affiliates' attack chains.” 

**Why do I care? **

The use of these types of tools has increased since the start of the COVID-19 pandemic when remote work became more common. Since this software is legitimate, it can be easy for an attacker to compromise it and sit undetected on a network, bypassing traditional blocking methods. These tools introduce the ability for an adversary to potentially take full remote control of a system, are easy to download and install, and can be very difficult to detect since they are considered legitimate software. 

**So now what? **

Adopting one, or at most two, approved remote management solutions will allow the organization to thoroughly test and deploy in the most secure possible configuration. Once a solution is approved and championed for the organization, other remote management/access tools should be explicitly banned by policy. Due to the complexity of implementing all these controls, detection rules can serve as a backup in case an adversary finds a way to circumvent these mitigations. 

**Top security headlines of the week **

**The U.S. and Britain have jointly filed chargers and sanctions against a Chinese state-sponsored actor known as APT31.** The group is accused of a sweeping espionage campaign allegedly linked to China's Ministry of State Security (MSS) in the province of Hubei. The group reportedly targeted thousands of U.S. and foreign politicians, foreign policy experts and other high-profile targets. Individuals in the White House, U.S. State Department and spouses of officials were also among those targeted. The attacks aligned with geopolitical events affecting China, including economic tensions with the U.S., arguments over control of the South China Sea, and pro-democracy rallies in Hong Kong in 2019. A release from the U.S. Department of Justice stated that the campaigns involved more than 10,000 malicious emails, sent to targets in multiple continents, in what it called a “prolific global hacking operation.” The charges go on to say that APT31 hoped to compromise government institution networks and stealing trade secrets. Seven Chinese nationals are the target of the new sanctions for their alleged involvement with APT31, including the Wuhan XRZ corporation that is tied to the threat actor. (Reuters, U.S. Department of Justice) 

**A silent backdoor on Linux machines was almost a massive supply chain attack, before a lone developer found malicious code hidden in software updates.** The malicious code was hidden in two updates to xz Utils, an open-source data compression utility available on almost all installations of Linux and other Unix-like operating systems. Had it been successfully deployed, adversaries could have stashed malicious code in an SSH login certificate, upload it and execute it on the backdoored device. Whoever is behind this code likely spent years working on it, with open-source updates going back to 2021. The actor never actually took advantage of the malicious code, so it’s unclear what they planned to upload. Researchers eventually identified the vulnerability as CVE-2024-3094. The U.S. Cybersecurity and Infrastructure Security Agency warned government agencies to downgrade their xz Utils to older versions. (Ars Technica, Dark Reading) 

**There is a massive backup with the National Vulnerabilities Database and, consequently, MITRE is unable to compile a list of all new vulnerabilities.** A recent study from Flashpoint found that there was backlog of more than 100,000 vulnerabilities with no CVE number, and consequently, hadn’t been included in the NVD. Of those, 330 vulnerabilities had been exploited in the wild, yet defenders had not been made aware of them. The National Institute of Standards and Technology blamed the backup on an increase in the volume of software available to the public, leading to a larger number of vulnerabilities, as well as “a change in interagency support.” NIST has only analyzed about half of the more than 8,700 vulnerabilities that had been submitted so far in 2024. And in March alone, they only analyzed 199 out of the 3,370 vulnerabilities submitted. Several organizations have tried launching their own alternatives to the NVD, though adoption can still take a long time. NIST has also vowed to remain dedicated to the NVD and that it’s still regrouping its current efforts. (SecurityWeek, The Record by Recorded Future) 

**Can’t get enough Talos? **

*   Enterprise Imperatives: The Critical Importance of Threat Intelligence 
*   Beware the gap between security readiness and confidence levels, Cisco warns 

**Upcoming events where you can find Talos **

**Botconf** **(April 23 - 26)** 

_Nice, Côte d'Azur, France_

> _This presentation from Chetan Raghuprasad details the Supershell C2 framework. Threat actors are using this framework massively and creating botnets with the Supershell implants._

**CARO Workshop 2024** **(May 1 - 3)** 

_Arlington, Virginia_

> Over the past year, we’ve observed a substantial uptick in attacks by YoroTrooper, a relatively nascent espionage-oriented threat actor operating against the Commonwealth of Independent Countries (CIS) since at least 2022. Asheer Malhotra's presentation at CARO 2024 will provide an overview of their various campaigns detailing the commodity and custom-built malware employed by the actor, their discovery and evolution in tactics. He will present a timeline of successful intrusions carried out by YoroTrooper targeting high-value individuals associated with CIS government agencies over the last two years.

**RSA** **(May 6 - 9)** 

_San Francisco, California_    

**Most prevalent malware files from Talos telemetry over the past week **

**SHA 256:** a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91    
**MD5:** 7bdbd180c081fa63ca94f9c22c457376   
**Typical Filename:** c0dwjdi6a.dll |  
**Claimed Product:** N/A    
**Detection Name:** Trojan.GenericKD.33515991 

**SHA 256:** 744c5a6489370567fd8290f5ece7f2bff018f10d04ccf5b37b070e8ab99b3241  
**MD5:** a5e26a50bf48f2426b15b38e5894b189  
**Typical Filename:** a5e26a50bf48f2426b15b38e5894b189.vir  
**Claimed Product:** N/A  
**Detection Name:** Win.Dropper.Generic::1201

**SHA 256:** 3a2ea65faefdc64d83dd4c06ef617d6ac683f781c093008c8996277732d9bd66  
**MD5:** 8b84d61bf3ffec822e2daf4a3665308c  
**Typical Filename:** RemComSvc.exe  
**Claimed Product:** N/A   
**Detection Name:** W32.3A2EA65FAE-95.SBX.TG

**SHA 256:** 0e2263d4f239a5c39960ffa6b6b688faa7fc3075e130fe0d4599d5b95ef20647   
**MD5:** bbcf7a68f4164a9f5f5cb2d9f30d9790   
**Typical Filename:** bbcf7a68f4164a9f5f5cb2d9f30d9790.vir   
**Claimed Product:** N/A   
**Detection Name:** Win.Dropper.Scar::1201 

**SHA 256:** 62dfe27768e6293eb9218ba22a3acb528df71e4cc4625b95726cd421b716f983  
**MD5:** 0211073feb4ba88254f40a2e6611fcef  
**Typical Filename:** UIHost64.exe  
**Claimed Product:** McAfee WebAdvisor  
**Detection Name:** Trojan.GenericKD.68726899

There are plenty of ways to improve cybersecurity that don’t involve making workers return to a physical office

A suspected Vietnamese-origin threat actor has been observed targeting victims in several Asian and Southeast Asian countries with malware designed to harvest valuable data since at least May 2023.
Cisco Talos is tracking the cluster under the name CoralRaider, describing it as financially motivated. Targets of the campaign include India, China, South Korea, Bangladesh, Pakistan, Indonesia,

Vietnam-Based Hackers Steal Financial Data Across Asia with Malware

A researcher received a $5,500 bug bounty for discovering a vulnerability (CVE-2024-2879) in LayerSlider, a plug-in with more than a million active installations.

Source: Primakov via Shutterstock

Attackers can exploit a critical SQL injection vulnerability found in a widely used WordPress plug-in to compromise more than 1 million sites and extract sensitive data such as password hashes from associated databases.

A security researcher called AmrAwad (aka 1337\_Wannabe) discovered the bug in the LayerSlider, a plug-in for creating animated Web content. The security flaw, tracked as CVE-2024-2879, has a rating of 9.8 out of 10 on the CVSS 3.0 vulnerability-severity scale, and is associated with the "ls\_get\_popup\_markup" action in versions 7.9.11 and 7.10.0 of LayerSlider. The vulnerability is due to "insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query," according to Wordfence.

"This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database," the company said.

Wordfence awarded the researcher a bounty of $5,500 — the company's highest bounty to date — for the discovery, according to a blog post by Wordfence. AmrAwad's March 25 submission came as part of Wordfence's second Bug Bounty Extravaganza, and the company contacted the Kreatura Team, developers of the plug-in, the same day to notify them of the flaw. The team responded the next day and delivered a patch in version 7.10.1 of LayerSlider on March 27.

**Exploiting the LayerSlider SQL Injection Flaw**

The potential for exploitation of the vulnerability lies in the insecure implementation of the LayerSlider plug-in's slider popup markup query functionality, which has an "id" parameter, according to Wordfence.

According to the firm, "if the 'id' parameter is not a number, it is passed without sanitization to the find() function in the LS\_Sliders class," which "queries the sliders in a way that constructs a statement without the prepare() function."  

Since that function would "parameterize and escape the SQL query for safe execution in WordPress, thereby providing protection against SQL injection attacks," its absence creates a vulnerable scenario, according to Wordfence.

However, to exploit the flaw requires a "a time-based blind approach" on the part of attackers to extract database information, which is "an intricate, yet frequently successful method to obtain information from a database when exploiting SQL Injection vulnerabilities," according to Wordfence.

"This means that they would need to use SQL CASE statements along with the SLEEP() command while observing the response time of each request to steal information from the database," the company explained.

**Secure WordPress, Secure the Web**

Vulnerable WordPress sites are a popular target for attackers given the content management system's widespread use across the Internet, and often vulnerabilities exist in plug-ins that independent developers create for adding functionality to sites using the platform.

Indeed, at least 43% of websites on the entire Internet use WordPress to power their sites, e-commerce applications, and communities. Further, the wealth of sensitive data such as user passwords and payment info often stored within their pages represents a significant opportunity for threat actors who seek to misuse it.

Making "the WordPress ecosystem more secure ... ultimately makes the entire web more secure," WordPress noted.

Wordfence advised that WordPress users with LayerSlider installed on sites verify immediately that they are updated to the latest, patched version of the plug-in to ensure it isn't vulnerable to exploit.

**About the Author(s)**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

Critical Security Flaw Exposes 1 Million WordPress Sites to SQL Injection

Cybersecurity is far more than a check-the-box exercise. To create companywide buy-in, CISOs need to secure board support, up their communication game, and offer awareness-training programs to fight social engineering and help employees apply what they've learned.

Source: Lev Dolgachov via Alamy Stock Photo

COMMENTARY

Cybersecurity has never been more critical for responsible corporate governance, as cyberattacks are among the gravest threats to companies' customers, operations, and reputations. 

Boards must invest in cybersecurity-awareness training programs to prepare the entire workforce for evolving cyber threats, and chief information security officer’s (CISO) have to champion this effort.

CISOs play a vital role in building stakeholder support for cybersecurity across the company — particularly on the board. Board members often lack the necessary knowledge to make informed decisions about the company's cybersecurity posture, and it's the CISO's job to educate them in a clear and compelling way. CISOs must demonstrate how much damage cyberattacks can cause, the ways employees can be equipped to identify and prevent these attacks, and how to maintain accountability for their risk-mitigation program.

**5 Top CISO Communication Strategies**

There are several strategies that will help CISOs earn long-term support for awareness training from their boards, from communicating cybersecurity concepts in an engaging and non-technical way to showing board members that cybersecurity programs offer significant ROI. Let's take a closer look at the top five ways CISOs can show boards that it's time to prioritize cybersecurity.

**1\. Know how to communicate with non-technical audiences.**

While almost three-quarters of CISOs say they have "adequate exposure to the board," a majority of CISOs report that their board lacks "knowledge or expertise to respond effectively to their presentations." CISOs must do more to address this disconnect — a process that begins with evaluating how they communicate with board members.

Cybersecurity is an intimidating subject for non-technical audiences, but it doesn't have to be. CISOs can make a comprehensible and convincing case for cybersecurity by pointing to the devastating real-world consequences of successful cyberattacks, revealing how cybercriminals deceive and manipulate their victims, and explaining that the right behavioral interventions can enable all employees to resist cyberattacks. CISOs can also highlight concrete examples of cyberattacks.

With boards planning to increase their cybersecurity investments, it's essential for CISOs to clearly highlight the value of risk mitigation strategies like awareness training.

**2\. Focus on the entire cyber-impact chain.**

According to IBM, the average cost of a data breach surged to $4.45 million in 2023. Cyberattacks can also lead to severe reputational damage, disrupted operations, legal and regulatory consequences, and crippling effects on the health of the company's workforce. This is known as the cyber-impact chain — a crucial concept for CISOs to discuss with board members.

Boards need to be aware that the effects of cyberattacks extend well beyond immediate financial burdens. At a time when 86% of consumers are worried about data privacy, a major cyberattack can undermine trust for years. As data regulations become increasingly strict, companies will be held accountable for compromised customer information.

CISOs have all the information they need to educate boards about the consequences of cyberattacks. They just have to present that information in a way that will hold board members' attention.

**3\. Stress the human element.**

CISOs have the knowledge to explain how prominent cybercriminal tactics are thwarted. For example, 74% of all breaches involve a human element — an alarming reminder that social engineering remains one of the most powerful weapons in the cybercriminal arsenal.

There are several ways for CISOs to productively discuss the threat of social engineering with their boards. They can provide hard evidence for the impact of social engineering attacks, explain how awareness training arms the company to prevent these attacks, and emphasize the most effective ways to educate employees. Cybersecurity is everyone's responsibility, which is why CISOs must make the case for fully engaging employees with consistent, entertaining, and relevant awareness training content.

Awareness training is one of the best ways to mitigate the financial impact of data breaches as it can help companies keep pace with emerging cyber threats and be personalized to account for individual psychological susceptibilities and learning styles. As long as social engineering remains integral to the majority of cyberattacks, CISOs will need to prioritize human-oriented cybersecurity.

**4\. Outline how awareness-training programs can be measured.**

As investments in cybersecurity rise, CISOs need to make accountability a central pillar of their case for awareness training. When board members see that cybersecurity spending is paying off, CISOs will be able to maintain support.

CISOs must make sure employees are learning what they need to know about the most urgent cyberthreats and tactics. Companies can use assessments such as simulated phishing to expose vulnerabilities and determine whether employees are able to apply what they've learned in real-world scenarios. These tests are especially valuable considering that phishing is the most frequent and second-costliest initial attack vector, according to IBM.

Beyond simulated phishing, CISOs can outline other forms of accountability to the board: employee-specific behavioral risk profiles, organizationwide security evaluations, and proactive incident reporting. These are all ways to reassure the board that resources allocated to cybersecurity are being put to good use.

**5\. Secure long-term support.**

Despite the growing concern about cyberattacks, too many companies still treat cybersecurity as a check-the-box exercise. They rely on a few email PSAs or perfunctory cybersecurity presentations a couple times a year, which fail to provide employees with consistent and engaging content that will secure sustainable behavioral change.

Because the cyber threat landscape is always shifting, companies have to keep employees updated on the latest cybercriminal tactics — such as the use of AI to craft convincing and targeted phishing messages at scale. Consistency is also necessary to reinforce what employees learn and identify weaknesses, such as the psychological vulnerabilities cybercriminals exploit. The goal of a security-awareness training program is to create a culture of cybersecurity at every level of the organization which can adapt to these challenges.

Cybercriminals are constantly developing increasingly sophisticated and effective ways to infiltrate companies by manipulating employees. This is why CISOs must secure long-term support for effective cybersecurity initiatives like a customer-satisfaction score (CSAT) from their boards — the threat is only becoming more dire, and companies have a responsibility to be prepared.

**About the Author(s)**

CEO, NINJIO

Dr. Shaun McAlmont is CEO of NINJIO Cybersecurity Awareness Training, and is one of the nation's leading education and training executives. Prior to NINJIO he served as President of Career and Workforce Training at Stride, Inc., had a decade-long tenure at Lincoln Educational Services, where he was President and CEO, and also served as CEO of Neumont College of Computer Science. His workforce and ed tech experience is supported by early student development roles at Stanford and Brigham Young Universities. He is a former NCAA and international athlete, and serves on the BorgWarner and Lee Enterprises boards of directors. He earned his doctoral degree in higher education, with distinction, from the University of Pennsylvania, a master's degree from the University of San Francisco, and his bachelor's degree from BYU.

How CISOs Can Make Cybersecurity a Long-Term Priority for Boards

Cisco Talos discovered a new threat actor we’re calling “CoralRaider” that we believe is of Vietnamese origin and financially motivated. CoralRaider has been operating since at least 2023, targeting victims in several Asian and Southeast Asian countries.

**CoralRaider targets victims’ data and social media accounts**

Thursday, April 4, 2024 08:00

*   Cisco Talos discovered a new threat actor we’re calling “CoralRaider” that we believe is of Vietnamese origin and financially motivated. CoralRaider has been operating since at least 2023, targeting victims in several Asian and Southeast Asian countries. 
*   This group focuses on stealing victims’ credentials, financial data, and social media accounts, including business and advertisement accounts.
*   They use RotBot, a customized variant of QuasarRAT, and XClient stealer as payloads in the campaign we analyzed.
*   The actor uses the dead drop technique, abusing a legitimate service to host the C2 configuration file and uncommon living-off-the-land binaries (LoLBins), including Windows Forfiles.exe and FoDHelper.exe 

**CoralRaider operators likely based in Vietnam **

Talos assesses with high confidence that the CoralRaider operators are based in Vietnam, based on the actor messages in their Telegram C2 bot channels and language preference in naming their bots, PDB strings, and other Vietnamese words hardcoded in their payload binaries. The actor’s IP address is located in Hanoi, Vietnam. 

 Our analysis revealed that the actor uses a Telegram bot, as a C2, to exfiltrate the victim’s data. This allowed us to collect information and uncover several invaluable indicators about the origin and activities of the attacker. 

The attacker used two Telegram bots: A “debug” bot for debugging, and an “online” bot where victim data was received. However, a Desktop image in the “debug” bot had a similar desktop and Telegram to the “online” bot. This showed that the actor possibly infected their own environment while testing the bot. 

Analyzing the images of the actor’s Desktop on the Telegram bot, we found a few Telegram groups in Vietnamese named “Kiém tien tử Facebook,” “Mua Bán Scan MINI,” and “Mua Bán Scan Meta.” Monitoring these groups revealed that they were underground markets where, among other activities, victim data was traded. 

In an image from the “debug bot,” we spotted the Windows device ID (HWID) and an IP address (118\[.\]71\[.\]64\[.\]18), located in Hanoi, Vietnam, that is likely to be CoralRaider’s IP address.

Talos’ research uncovered two other images that revealed a few folders on their OneDrive. One of the folders had a Vietnamese name, “Bot Export Chiến,” which is the same as one of the folders in the PDB strings of their loader component. Pivoting on the folder path in the PDB string, we discovered a few other PDB strings having similar paths but different Vietnamese names. We analyzed the discovered samples with the PDB strings and found they belong to the same loader family, RotBot. The Vietnamese name in the PDB string of the loader binary further strengthens our assessment that CoralRaider is of Vietnamese origin.

D:\\ROT\\ROT\\Build rot Export\\2024\\Bot Export Khuê\\14.225.210.XX-Khue-Ver 2.0\\GPT\\bin\\Debug\\spoolsv.pdb

D:\\ROT\\ROT\\Build rot Export\\2024\\Bot Export Trứ\\149.248.79.205 - NetFrame 4.5 Run Dll - 2024\\ChromeCrashServices\\obj\\Debug\\FirefoxCrashSevices.pdb

D:\\ROT\\ROT\\Build rot Export\\2024\\Bot Export Trứ\\139.99.23.9-NetFrame4.5-Ver2.0-Trứ\\GPT\\bin\\Debug\\spoolsv.pdb

  

D:\\ROT\\ROT\\Build rot Export\\2024\\Bot Export Chiến\\14.225.210.XX-Chiến -Ver 2.0\\GPT\\bin\\Debug\\spoolsv.pdb

  

D:\\ROT\\ROT\\Build rot Export\\2024\\Bot Export Trứ\\139.99.23.9-NetFrame4.5-Ver2.0-Trứ\\GPT\\bin\\Debug\\SkypeApp.pdb

  

D:\\ROT\\ROT\\Build rot Export\\2024\\Bot Export Chiến\\14.225.210.XX-Chiến -Ver 2.0\\GPT\\bin\\Debug\\spoolsv.pdb

  

D:\\ROT\\ROT\\ROT Ver 5.5\\Source\\Encrypted\\Ver 4.8 - Client Netframe 4.5\\XClient\\bin\\Debug\\AI.pdb

  

Another image we analyzed is an Excel spreadsheet that likely contained the victims’ data. We have redacted the images to maintain confidentiality. The spreadsheet has several tabs in Vietnamese, and their English translation showed us the tabs “Employee salary spreadsheet,” “advertising costs,” “website to buy copies,” “PayPal related,” and “can use.” The spreadsheet seemed to have multiple versions — the first was created on May 10, 2023. We also spotted that they have logged into their Microsoft Office 365 account with the display name “daloia krag” while accessing the spreadsheet, and CoralRaider likely operates the account. 

CoralRaider’s payload, XClient stealer analysis, showed us a few more indicators. CoralRaider had hardcoded Vietnamese words in several stealer functions of their payload XClient stealer. The stealer function maps the stolen victim’s information to hardcoded Vietnamese words and writes them to a text file on the victim machine’s temporary folder before exfiltration. One example function we observed is used to steal the victim’s Facebook Ads account that has hardcoded with Vietnamese words for Account rights, Threshold, Spent, Time Zone, and Date Created, etc.

**The campaign  **

Talos observed that CoralRaider is conducting a malicious campaign targeting victims in multiple countries in Asia and Southeast Asia, including India, China, South Korea, Bangladesh, Pakistan, Indonesia and Vietnam. 

The initial vector of the campaign is the Windows shortcut file. We are unclear on the technique the actor used to deliver the LNKs to the victims. Some of the shortcut file filenames that we observed during our analysis are:

*   자세한 비디오 및 이미지.lnk
*   設計內容+我的名片.lnk
*   run-dwnl-restart.lnk
*   index-write-upd.lnk
*   finals.lnk
*   manual.pdf.lnk
*   LoanDocs.lnk
*   DoctorReferral.lnk
*   your-award.pdf.lnk
*   Research.pdf.lnk
*   start-of-proccess.lnk
*   lan-onlineupd.lnk
*   refcount.lnk

We also discovered a few notable unique drive serial numbers from the metadata of the Windows Shortcut files:

*   A0B4-2B36
*   FA4C-C31D
*   94AA-CEFB
*   46F7-AF3B

The attack begins when a user opens a malicious Windows shortcut file, which downloads and executes an HTML application file (HTA) from an attacker-controlled download server. The HTA file executes an embedded obfuscated Visual Basic script. The malicious Visual Basic script executes an embedded PowerShell script in the memory, which decrypts and sequentially executes three other PowerShell scripts that perform anti-VM and anti-analysis checks, bypass the User Access Controls, disables the Windows and application notifications on the victim’s machine, and finally downloads and run the RotBot. 

RotBot, the QuasarRAT client variant, in its initial execution phase, performs several detection evasion checks on the victim machine and conducts system reconnaissance. RotBot then connects to a host on a legitimate domain, likely controlled by the threat actor, and downloads the configuration file for the RotBot to connect to the C2. CoralRaider uses the Telegram bot as the C2 channel in this campaign. 

After connecting to the Telegram C2, RotBot loads the payload XClient stealer onto the victim memory from its resource and runs its plugin program. The XClient stealer plugin performs anti-VM and anti-virus software checks on the victim's machine. It executes its functions to collect the victim's browser data, including cookies, stored credentials, and financial information such as credit card details. It also collects the victim’s data from social media accounts, including Facebook, Instagram, TikTok business ads, and YouTube. It also collects the application data from the Telegram desktop and Discord application on the victim's machine. The stealer plugin can capture screenshots of the victim’s desktop and save them as a PNG file in the victim's machine’s temporary folder. With PNG files, the stealer plugin dumps the collected victim’s data from the browser and social media accounts in a text file and creates a ZIP archive. The PNG and ZIP files are exfiltrated to the attacker's Telegram bot C2.

Infection flow diagram.

**RotBot loads and runs the payload  **

RotBot, a remote access tool (RAT) compiled on Jan. 9, 2024, is downloaded and runs on the victim machine disguised as a Printer Subsystem application “spoolsv.exe.” RotBot is a variant of the QuasarRAT client that the threat actor has customized and compiled for this campaign. 

During its initial execution, RotBot performs several checks on the victim’s machine to evade detection, including IP address, ASN number, and running processes of the victim’s machine. It performs reconnaissance of system data on the victim machine. It also configures the internet proxy on the victim machine by modifying the registry key: 

Software\\Microsoft\\Windows\\CurrentVersion\\Internet 

Settings with the values:

ProxyServer = 127.0.0.1:80

ProxyEnable = 1

We observed that RotBot discovered in this campaign creates mutex in the victim machine as the infection markers​​ using the hardcoded strings in the binary.

RotBot loads and runs the XClient stealer module from its resources and uses the configuration parameters for its Telegram C2 bot from the downloaded configuration file. 

The XClient stealer sample we analyzed in this campaign is a .Net executable compiled on Jan. 7, 2024. It has extensive information-stealing capability through its plugin module and various modules for performing remote administrative tasks. 

XClient stealer has three primary functions that help it to avoid the radar. First, it will do virtual environment evasion if the victim’s machine runs in VMware or VirtualBox. It also checks if a DLL called sbieDll.dll exists in the victim machine file system to detect if it runs in the Sandboxie environment. XClient stealer also checks if anti-virus software, including AVG, Avast, and Kaspersky, is running on the victim’s machine. 

After bypassing all the checking functions, the XClient stealer captures the victim’s machine screenshot, saves it with the “.png” extension in the victim’s temporary user profile folder, and sends it to C2 through the URL “/sendPhoto.” 

XClient stealer steals victims’ social media web application credentials, browser data, and financial information such as credit card details. It targets Chrome, Microsoft Edge, Opera, Brave, CocCoc, and Firefox browser data files through the absolute paths of the respective browser installation paths. It extracts the contents of the browser database to a text file in the victim’s profile local temporary folder. 

XClient stealer hijacks and steals various Facebook data from the victim’s Facebook account. It sets custom HTTP header metadata along with the victim’s stolen Facebook cookie, and the username sends requests to Facebook APIs through the URLs below.

It checks if the victim’s Facebook is a business or ads account and uses regular expressions to search for access\_token, assetID, and paymentAccountID. Using Facebook graph API, XClient attempts to collect an extensive list of information from the victim’s account, shown in the table below.

Entities

Value place holders

facebook\_pages

verification\_status, fan\_count, followers\_count, is\_owned, name, is\_published,is\_promotable, parent\_page, promotion\_eligible, has\_transitioned\_to\_new\_page\_experience, picture, roles

Adaccounts, businesses

name, permitted\_roles, can\_use\_extended\_credit, primary\_page, wo\_factor\_type, client\_ad\_accounts, verification\_status, id, created\_time, is\_disabled\_for\_integrity\_reasons, sharing\_eligibility\_status, allow\_page\_management\_in\_www, timezone\_id, timezone\_offset\_hours\_utc

owned\_ad\_accounts

id, currency, timezone\_offset\_hours\_utc, timezone\_name,adtrust\_dsl

Business\_users

name, account\_status, account\_id, owner\_business, created\_time, next\_bill\_date, currency, timezone\_name, timezone\_offset\_hours\_utc, business\_country\_code, disable\_reason, adspaymentcycle{threshold\_amount}, has\_extended\_credit, adtrust\_dsl, funding\_source\_details, balance, is\_prepay\_account, owner

XClient stealer also collects the financial information from the victims’ Facebook business and ads accounts.

Payment related entities

Value Place holders

pm\_credit\_card

display\_string, exp\_month, exp\_year, is\_verified

payment\_method\_direct\_debits

address, can\_verify, display\_string, s\_awaiting, is\_pending,

status

payment\_method\_paypal

email\_address

payment\_method\_tokens

Current\_balance, original\_balance, time\_expire, type

amount\_spent, userpermissions

user, role

 Using the graph API, XClient stealer retrieves victims’ account friend list details and pictures. 

XClient stealer also targets the victim’s Instagram account and YouTube accounts through the URLs and collects various information, including username, badge\_count, appID, accountSectionListRenderer, contents, title, data, actions, getMultiPageMenuAction, menu, multiPageMenuRenderer, sections and hasChannel. It collects the application data from the Telegram desktop and Discord application on the victim’s machine. XClient also collects the data from the victim’s TikTok business account and checks for business ads. 

Talos compiled the hardcoded HTTP request header metadata the XClient stealer uses in this campaign while retrieving the victim’s information from Facebook, Instagram, and YouTube accounts. 

Facebook

*   sec-ch-ua-mobile: ?0
    
*   sec-ch-ua-platform: \\"Windows\\"
    
*   sec-fetch-dest: document
    
*   sec-fetch-mode: navigate
    
*   sec-fetch-site: none
    
*   sec-fetch-user: ?1
    
*   upgrade-insecure-requests: 1
    
*   user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36
    
*   sec-ch-ua: \\"Not?A\_Brand\\";v=\\"8\\", \\"Chromium\\";v=\\"108\\", \\"Google Chrome\\";v=\\"108\\"
    
*   sec-ch-ua-mobile: ?0
    

  

Instagram

*   Sec-Ch-Prefers-Color-Scheme: light
    
*   Sec-Ch-Ua: "Google Chrome"; v = "113", "Chromium"; v = "113", "Not-A.Brand"; v = "24"
    
*   Sec-Ch-Ua-Full-Version-List: "Google Chrome"; v = "113.0.5672.127", "Chromium"; v = "113.0.5672.127", "Not-A.Brand"; v = "24.0.0.0"
    
*   Sec-Ch-Ua-Mobile: ?0
    
*   Sec-Ch-Ua-Platform: "Windows"
    
*   Sec-Ch-Ua-Platform-Version: "10.0.0"
    
*   Sec-Fetch-Dest: document
    
*   Sec-Fetch-Mode: navigate
    
*   Sec-Fetch-Site: none
    
*   Sec-Fetch-User: ?1
    
*   Upgrade-Insecure-Requests: 1
    
*   User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit / 537.36(KHTML, like Gecko) Chrome / 113.0.0.0 Safari / 537.36
    

  

Youtube

*   content-type: application/json
    
*   sec-ch-ua: "Google Chrome";v="113", "Chromium";v="113", "Not-A.Brand";v="24"
    
*   sec-ch-ua-arch: "x86"
    
*   sec-ch-ua-bitness: "64"
    
*   sec-ch-ua-full-version: "113.0.5672.127"
    
*   sec-ch-ua-full-version-list: "Google Chrome";v="113.0.5672.127", "Chromium";v="113.0.5672.127", "Not-A.Brand";v="24.0.0.0"
    
*   sec-ch-ua-mobile: ?0
    
*   sec-ch-ua-model: ""
    
*   sec-ch-ua-platform: "Windows"
    
*   sec-ch-ua-platform-version: "10.0.0"
    
*   sec-ch-ua-wow64: ?0
    
*   sec-fetch-dest: empty
    
*   sec-fetch-mode: same-origin
    
*   user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.0.0 Safari/537.36
    
*   x-goog-authuser: 0
    
*   x-origin: https://www.youtube.com
    
*   x-youtube-bootstrap-logged-in: true
    
*   x-youtube-client-name: 1
    

Finally, the XClient stealer stores the victim’s social media data, which is collected into a text file in the local user profile temporary folder and creates a ZIP archive. The ZIP files were exfiltrated to the Telegram C2 through the URL “/sendDocument”.

Talos’ research of this campaign focused on discovering and disclosing a new threat actor of Vietnamese origin and their payloads. Additional technical details of the attack chain components of this campaign can be found in the report published by the researchers at QiAnXin Threat Intelligence Center. 

**Coverage**

Cisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware detailed in this post. Try Secure Endpoint for free here.

Cisco Secure Web Appliance web scanning prevents access to malicious websites and detects malware used in these attacks.

Cisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of their campaign. You can try Secure Email for free here.

Cisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat Defense Virtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this threat.

Cisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco Secure products.

Umbrella, Cisco's secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and URLs, whether users are on or off the corporate network. Sign up for a free trial of Umbrella here.

Cisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites and tests suspicious sites before users access them.

Additional protections with context to your specific environment and threat data are available from the Firewall Management Center.

Cisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your network.

Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org. Snort SID for this threat is 63192.

ClamAV detections are also available for this threat:

Lnk.Downloader.CoralRaider-10024620-0

Html.Downloader.CoralRaider-10025101-0

Win.Trojan.RotBot-10024631-0

Win.Infostealer.XClient-10025106-2

**Indicators of Compromise**

Indicators of Compromise associated with this threat can be found here.

Tag

#cisco