Insights, news, education and announcements from PolySwarm

CoralRaider's Stealer Spree

Written by The Hivemind | May 3, 2024 5:53:10 PM

Related Families: CryptBot, LummaC2, Rhadamanthys
Verticals Targeted: Technology, Defense

Executive Summary

The threat actor group CoralRaider was recently observed on a stealer spree distributing three infostealers, CryptBot, LummaC2, and Rhadamanthys.  

Key Takeaways

  • The threat actor group CoralRaider was recently observed in a stealer spree, targeting entities in multiple countries.
  • In the campaign, the threat actors distributed three infostealers, CryptBot, LummaC2, and Rhadamanthys. 
  • They appeared to be using new variants of CryptBot and LummaC2, while using an older version of Rhadamanthys.

The Campaign

The threat actor group CoralRaider was recently observed distributing three infostealers, CryptBot, LummaC2, and Rhadamanthys. This stealer spree has been active since at least 2024. Cisco Talos reported on this activity.

CoralRaider’s stealer spree targeted entities in the US, Nigeria, Pakistan, Ecuador, Germany, Egypt, UK, Poland, the Philippines, Norway, Japan, Syria, and Turkey. Affected entities included computer call service organizations and civil defense service organizations, among others.

Cisco Talos described the infection chain:

  • The infection chain begins when a victim opens a malicious shortcut file found in a ZIP, that is downloaded as a drive-by download. 
  • An HTA file executes an embedded JavaScript, which in turn decodes and runs a PowerShell decrypter script. 
  • This decrypter script then decrypts the embedded PowerShell Loader script and runs it in the system’s memory. 
  • The loader executes multiple functions in order to evade detection and bypass UAC. It then downloads and runs one of three infostealer payloads. 
  • Cisco Talos noted the threat actors used a content delivery network (CDN) cache as a download server.

In the campaign, the threat actors leveraged three well-known infostealers: CryptBot, LummaC2, and Rhadamanthys. Information about each of the infostealer families is provided below:

 

CryptBot

CryptBot is an infostealer that has been active in the wild since at least 2019. It targets Windows systems. It is capable of stealing browser credentials, cryptocurrency wallets, browser cookies, and credit card information. It can also take screenshots of the victim’s system. The variant of CryptBot used in this campaign was first observed in January 2024 and includes new techniques to thwart malware analysis. 

 

LummaC2

LummaC2 is an infostealer that has been in the wild since at least late 2022. LummaC2 is written in C and is sold on the underground. We reported on LummaC2 in December 2023, noting its unique  trigonometry-based anti-sandboxing technique. Cisco Talos researchers stated the LummaC2 variant used by CoralRaider appeared to be a new variant.

 

Rhadamanthys

Rhadamanthys, an infostealer, is malware as a service (MaaS) available on the dark web. Rhadamanthys, which is written in C++,  was first seen in the wild in 2022. Rhadamanthys steals credentials, cryptocurrency wallets, and other sensitive information such as device information and documents, and sends it to the C2. Rhadamanthys has been under active development, with a new variant (6.0) released in February. However, Cisco Talos noted the CoralRaider campaign used the older Rhadamanthys version 5.0.

Who is CoralRaider?

CoralRaider is a threat actor group thought to be of Vietnamese origin. They appear to be financially motivated and have been active since at least 2023. Earlier this year, CoralRaider was observed using XClient stealer and RotBot, a QuasarRAT variant, to target entities in Asia. 

IOCs

PolySwarm has multiple samples associated with this activity. 

 

3c075a2bcd06e103e6ec3a1b74ceaaf600d3a9e179e2719795377f71c4f8f9c8

aea7c613ac659a083c35afd8e20f19a2c3583f81597dec48cbc886292cfcc975

a04c6804b63220a9cb1ea6c5f2990e6a810d7b4b7225e0fc5aa7ed7e2bac3c99

fd53383d85b39e68d817e39030aa2184764ab4de2d478b7e33afc39dd9661e96

7db78346dde71258ae1307b542d162a030c71031eebd0ed80816112d82c008f0

b3e694ce12e6f67db5db56177abfddebbc29f558618987e014f47a46996a8ced

 

You can use the following CLI command to search for all CoralRaider samples in our portal:

$ polyswarm link list -f CoralRaider

 

Don’t have a PolySwarm account? Go here to sign up for a free Community plan or subscribe.

Contact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports.