A new ongoing malware campaign has been observed distributing three different stealers, such as CryptBot, LummaC2, and Rhadamanthys hosted on Content Delivery Network (CDN) cache domains since at least February 2024.
Cisco Talos has attributed the activity with moderate confidence to a threat actor tracked as CoralRaider, a suspected Vietnamese-origin group that came to light earlier this month.
This assessment is based on “several overlaps in tactics, techniques, and procedures (TTPs) of CoralRaider’s Rotbot campaign, including the initial attack vector of the Windows Shortcut file, intermediate PowerShell decryptor and payload download scripts, the FoDHelper technique used to bypass User Access Controls (UAC) of the victim machine,” the company said.
Targets of the campaign span various business verticals across geographies, including the U.S., Nigeria, Pakistan, Ecuador, Germany, Egypt, the U.K., Poland, the Philippines, Norway, Japan, Syria, and Turkey.
Attack chains involve users downloading files masquerading as movie files via a web browser, raising the possibility of a large-scale attack.
“This threat actor is using a Content Delivery Network (CDN) cache to store the malicious files on their network edge host in this campaign, avoiding request delay,” Talos researchers Joey Chen, Chetan Raghuprasad, and Alex Karkins said. “The actor is using the CDN cache as a download server to deceive network defenders.”
The initial access vector for the drive-by downloads is suspected to be phishing emails, using them as a conduit to propagate booby-trapped links pointing to ZIP archives containing a Windows shortcut (LNK) file.
The shortcut file, in turn, runs a PowerShell script to fetch a next-stage HTML application (HTA) payload hosted on the CDN cache, which subsequently runs Javascript code to launch an embedded PowerShell loader that takes steps to fly under the radar and ultimately downloads and runs one of the three stealer malware.
The modular PowerShell loader script is designed to bypass the User Access Controls (UAC) in the victim’s machine using a known technique called FodHelper, which has also been put to use by Vietnamese threat actors linked to another stealer known as NodeStealer that’s capable of stealing Facebook account data.
The stealer malware, regardless of what’s deployed, grabs victims’ information, such as system and browser data, credentials, cryptocurrency wallets, and financial information.
What’s notable about the campaign is that it utilizes an updated version of CryptBot that packs in new anti-analysis techniques and also captures password manager application databases and authenticator application information.