Cybercriminal group CoralRider distributes malware in multiple countries, including the US, Nigeria, Pakistan, Ecuador, Germany, Egypt, the UK, Poland, the Philippines, Norway, Japan, Syria, and Turkey. Its malware includes Cryptbot, LummaC2, and Rhadamanthys.
This campaign, revealed through telemetry data and open-source intelligence (OSINT), demonstrates a sophisticated approach aimed at various organisations, including Japan’s computer service call centres and civil defence services in Syria.
The attackers employ a Content Delivery Network (CDN) cache to store malicious files strategically placed on their network edge hosts. This tactic streamlines their attack by using the CDN cache as a download server, evading detection and response efforts from network defenders.
Researchers’ investigations have revealed that the threat actor uses multiple C2 domains, indicating ongoing malicious activities. These domains, observed in DNS requests during analysis, underscore the campaign’s persistence and adaptability.
Researchers have identified overlaps in tactics, techniques, and procedures (TTPs) with CoralRaider’s Rotbot campaign, leading to a moderate confidence assessment that CoralRaider is likely behind this latest campaign. PowerShell scripts and geographical targets align closely with CoralRaider’s previous operations.
“The affected users were downloading files masquerading as movie files through the browser, indicating the possibility of a widespread attack on users across various business verticals and geographies,” noted researchers.
The attack begins with distributing malicious shortcut files, often concealed with ZIP archives. These archives are disseminated through various vectors, including drive-by downloads and phishing emails. Unsuspecting victims inadvertently open these malicious shortcuts, triggering the start of the attack chain.
Upon opening the malicious shortcut, a PowerShell command is executed. This command initiates the download and execution of an HTML Application (HTA) file hosted on attacker-controlled Content Delivery Network (CDN) domains. CDN caches facilitate faster and more reliable delivery of malicious content while evading typical network defences.
The HTA file, heavily obfuscated to evade detection, contains embedded JavaScript code. This code decodes and executes a PowerShell decryptor script embedded within the HTA file. The PowerShell decryptor script is responsible for decrypting the next stage of the attack, the PowerShell Loader script.
The PowerShell Loader script, a modular and multifunctional component of the attack chain, is designed to evade detection and execute various malicious activities. Key functionalities of the PowerShell Loader include:
- Bypassing User Access Controls (UAC): The script drops a batch file in the victim’s temporary folder and utilises a Living-off-the-Land-Binary (LoLBin) called FoDHelper.exe. This binary, running with high integrity by default, helps execute commands with elevated privileges without user prompts, thus bypassing UAC protections.
- Registry key manipulation: The script modifies registry keys associated with Windows Defender and programmatic identifiers (ProgIDs). By adding custom ProgIDs and configuring registry settings, the attackers manipulate Windows Defender exclusions and execute malicious commands without triggering security alerts.
Following successful evasion and system manipulation, the PowerShell downloads and executes one of three information stealers: Cryptbot, LummaC2, and Rhadamanthys. These payloads are selected based on the threat actor’s objectives, such as stealing sensitive information, credentials, cryptocurrency wallets, and financial data.
Once the payload is deployed, the attackers ensure persistence by modifying system settings and configurations. This includes adding folders to exclusion lists, manipulating registry keys, and executing the downloaded payload through various techniques, such as Windows start commands and batch script execution.
Throughout the attack, the compromised systems establish communication with command-and-control (C2) servers controlled by the threat actor. This communication enables data exfiltration, command execution, and ongoing control over the compromised systems.
The campaign’s arsenal includes renowned information stealers such as CryptBot, which now boasts new evasion techniques and expanded targeting of applications and cryptocurrency wallets. LummaC2, another payload, has undergone modifications to obfuscate its behaviour and communication with command-and-control servers. While not the latest version, Rhadamanthys demonstrates the actor’s willingness to leverage diverse malware tools for maximum impact.
In the News: Microsoft rolls back Outlook security fix; workaround issued
