Cybercrime , Fraud Management & Cybercrime

Vietnamese Threat Actor Targeting Financial Data Across Asia

CoralRaider Looks for Social Media Accounts That Contain Payment Information
Vietnamese Threat Actor Targeting Financial Data Across Asia
Cisco Talos traced the IP address of CoralRaider, financially motivated hackers, to Hanoi, Vietnam, pictured. (Image: Shutterstock)

Vietnamese financially motivated hackers are targeting businesses across Asia in a campaign to harvest corporate credentials and financial data for resale in online criminal markets.

See Also: Confidence Amid Chaos: Managing Fraud and Scams with Data and Analytics

Researchers at Cisco Talos identified a cluster of hacking activity its tracks as CoralRaider attacking India, China, South Korea, Bangladesh, Pakistan, Indonesia and domestic targets with exfiltration malware.

Talos attributes the group's origin to Vietnam with high confidence, pointing to the hackers' use of Vietnamese in their Telegram command-and-control channel and Vietnamese words hard-coded into payload binaries. Its IP address traces to Hanoi.

Hackers use RotBot, a customized remote access tool - a variant of the Quasar RAT - to download an info stealer that looks for business social media accounts containing data such as payment cards.

The group "focuses on stealing victims' credentials, financial data, and social media accounts, including business and advertisement accounts," the researchers said.

A CoralRaider attack begins when users open a malicious Windows shortcut file, triggering the infection chain. Talos said it's not sure how the threat actor delivers the files to victims.

The activated LNK file downloads an HTML application file that executes a Virtual Basic script that in turn executes a PowerShell script in the memory "which decrypts and sequentially executes three other PowerShell scripts that perform anti-VM and anti-analysis checks, bypass the User Access Controls, disable the Windows and application notifications on the victim’s machine, and finally download and run the RotBot."

The XClient info stealer loaded by RotBot collects data including cookies, credentials and financial information from web browsers including Brave, Cốc Cốc, Google Chrome, Microsoft Edge, Mozilla Firefox and Opera, as well as Discord and Telegram.

XClient also targets data from victims' Facebook, Instagram, TikTok and YouTube accounts and gathers details about payment methods and permissions associated with their Facebook business and advertising accounts.

About the Author

Mihir Bagwe

Mihir Bagwe

Principal Correspondent, Global News Desk, ISMG

Bagwe previously worked at CISO magazine, reporting the latest cybersecurity news and trends and interviewing cybersecurity subject matter experts.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.