🇻🇳

CoralRaider

APT Group ETDA ✓

Also Known As

No alias recorded

Target Countries

No target country recorded

Sectors Targeted

Promoters of Performing Arts, Sports, and Similar Events 7113

Details

Origin 🇻🇳 VN

Last Updated 27 Apr 2024

Malware Families 1

py.pxa_stealer

MITRE ATT&CK 35

T1008 T1027 - Obfuscated Files or Information T1036 - Masquerading T1055 T1056 T1057 T1059 - Command and Scripting Interpreter T1071 T1071.001 T1074 T1078.002 T1087 - Account Discovery T1113 T1114 T1134 - Access Token Manipulation T1140 - Deobfuscate/Decode Files or Information T1176 T1185 T1210 T1489 T1497 T1518 T1547 - Boot or Logon Autostart Execution T1548 T1552 T1555 T1564 - Hide Artifacts T1566 - Phishing T1566.001 T1568 T1569 T1584 T1588 T1592 T1600

Related Zero-Days

No zero-day CVE linked to this actor

Known Names 1 entries

CoralRaider Talos

Observed Target Countries 19

Based on ETDA data — countries highlighted in red

Bangladesh China Ecuador Egypt Germany India Indonesia Japan Nigeria Norway Pakistan Philippines Poland South Korea Syria Turkey UK USA Vietnam

Description

(Talos) Cisco Talos discovered a new threat actor we’re calling “CoralRaider” that we believe is of Vietnamese origin and financially motivated. CoralRaider has been operating since at least 2023, targeting victims in several Asian and Southeast Asian countries. This group focuses on stealing victims’ credentials, financial data, and social media accounts, including business and advertisement accounts. They use RotBot, a customized variant of QuasarRAT, and XClient stealer as payloads in the campaign we analyzed. The actor uses the dead drop technique, abusing a legitimate service to host the C2 configuration file and uncommon living-off-the-land binaries (LoLBins), including Windows Forfiles.exe and FoDHelper.exe

Tools Used 7

AsyncRAT LummaC2 NetSupport Manager Rhadamanthys RotBot XClient Living off the Land

Operations 1

2024-02 Suspected CoralRaider continues to expand victimology using three information stealers https://blog.talosintelligence.com/suspected-coralraider-continues-to-expand-victimology-using-three-information-stealers/

Reports & References 1

https://blog.talosintelligence.com/coralraider-targets-socialmedia-accounts/

ETDA Profile

CoralRaider

Origin

Vietnam

First Seen 2023

Motivation

Financial gain

View on ETDA APT Groups ↗