A brand new ongoing malware marketing campaign has been noticed distributing three totally different stealers, corresponding to CryptBot, LummaC2, and Rhadamanthys hosted on Content material Supply Community (CDN) cache domains since at the very least February 2024.
Cisco Talos has attributed the exercise with average confidence to a risk actor tracked as CoralRaider, a suspected Vietnamese-origin group that got here to gentle earlier this month.
This evaluation relies on “several overlaps in tactics, techniques, and procedures (TTPs) of CoralRaider’s Rotbot campaign, including the initial attack vector of the Windows Shortcut file, intermediate PowerShell decryptor and payload download scripts, the FoDHelper technique used to bypass User Access Controls (UAC) of the victim machine,” the corporate stated.
Targets of the marketing campaign span numerous enterprise verticals throughout geographies, together with the U.S., Nigeria, Pakistan, Ecuador, Germany, Egypt, the U.Okay., Poland, the Philippines, Norway, Japan, Syria, and Turkey.
Assault chains contain customers downloading recordsdata masquerading as film recordsdata by way of an online browser, elevating the potential of a large-scale assault.
“This threat actor is using a Content Delivery Network (CDN) cache to store the malicious files on their network edge host in this campaign, avoiding request delay,” Talos researchers Joey Chen, Chetan Raghuprasad, and Alex Karkins stated. “The actor is using the CDN cache as a download server to deceive network defenders.”
The preliminary entry vector for the drive-by downloads is suspected to be phishing emails, utilizing them as a conduit to propagate booby-trapped hyperlinks pointing to ZIP archives containing a Home windows shortcut (LNK) file.
The shortcut file, in flip, runs a PowerShell script to fetch a next-stage HTML utility (HTA) payload hosted on the CDN cache, which subsequently runs Javascript code to launch an embedded PowerShell loader that takes steps to fly underneath the radar and in the end downloads and runs one of many three stealer malware.
The modular PowerShell loader script is designed to bypass the Consumer Entry Controls (UAC) within the sufferer’s machine utilizing a identified method known as FodHelper, which has additionally been put to make use of by Vietnamese risk actors linked to a different stealer often known as NodeStealer that is able to stealing Fb account knowledge.
The stealer malware, no matter what’s deployed, grabs victims’ data, corresponding to system and browser knowledge, credentials, cryptocurrency wallets, and monetary data.
What’s notable in regards to the marketing campaign is that it makes use of an up to date model of CryptBot that packs in new anti-analysis strategies and in addition captures password supervisor utility databases and authenticator utility data.
