CoralRaider

Description

(Talos) Cisco Talos discovered a new threat actor we’re calling “CoralRaider” that we believe is of Vietnamese origin and financially motivated. CoralRaider has been operating since at least 2023, targeting victims in several Asian and Southeast Asian countries.

This group focuses on stealing victims’ credentials, financial data, and social media accounts, including business and advertisement accounts.

They use RotBot, a customized variant of QuasarRAT, and XClient stealer as payloads in the campaign we analyzed.

The actor uses the dead drop technique, abusing a legitimate service to host the C2 configuration file and uncommon living-off-the-land binaries (LoLBins), including Windows Forfiles.exe and FoDHelper.exe

Names

Name	Name-Giver
CoralRaider	Talos

Country

• Vietnam

Motivation

• Financial gain

First Seen

2023

Observed Countries

• Bangladesh
• China
• Ecuador
• Egypt
• Germany
• India
• Indonesia
• Japan
• Nigeria
• Norway
• Pakistan
• Philippines
• Poland
• South Korea
• Syria
• Turkey
• UK
• USA
• Vietnam

Tools

• AsyncRAT
• LummaC2
• NetSupport Manager
• Rhadamanthys
• RotBot
• XClient
• Living off the Land

Operations

• 2024-02: Suspected CoralRaider continues to expand victimology using three information stealers https://blog.talosintelligence.com/suspected-coralraider-continues-to-expand-victimology-using-three-information-stealers/

Information

• https://blog.talosintelligence.com/coralraider-targets-socialmedia-accounts/

Other Information

Uuid

55e65c1c-f9bc-4060-8281-13dcf7a4cd17

Last Card Change

2024-06-18