Threat researchers link Coral Raider to campaigns distributing several infostealer families (Rhadamanthys, Lumma C2, Cryptbot) and note the use of CDNs to host malicious payloads, camouflaging the Kill Chain. Infoblox’s DNS Early Detection could flag Coral Raider’s malicious domains days to months before OSINT, enabling automatic blocking to disrupt attacks. #CoralRaider #Rhadamanthys #LummaC2 #Cryptbot #DNSEarlyDetection
Keypoints
- Coral Raider campaign started around February 2024 and distributes several infostealer families (Rhadamanthys, Lumma C2, Cryptbot).
- The attackers leverage Content Delivery Networks (CDNs) to host malicious files and payloads, aiding camouflage of the Kill Chain.
- Infoblox DNS Early Detection identified Coral Raider C2 domains as SUSPICIOUS well before OSINT became available, with a 94.12% hit rate across domains and an average lead time of 76.8 days.
- A set of malicious Coral Raider C2 domains was identified, including examples such as culturesketchfinanciall[.]shop and dbeight8pt[.]top, among others.
- Blocking these domains in Infoblox customers’ networks disrupted multiple attack Kill Chains across the global customer base.
- Suspicious domain feeds offer high value with relatively low effort, reducing time-to-value and increasing threat-intelligence ROI for defenders.
MITRE Techniques
- [T1583.001] Acquire Infrastructure – Adversaries register and use malicious domains to host C2 infrastructure. – ‘MALICIOUS Coral Raider C2 domains identified as SUSPICIOUS include: culturesketchfinanciall[.]shop, dbeight8pt[.]top, gemcreedarticulateod[.]shop’
- [T1105] Ingress Tool Transfer – Adversaries download and use payloads hosted on CDN infrastructure. – ‘Threat researchers believe that Coral Raider uses the Content Delivery Network (CDN) to host malicious files and payloads.’
Indicators of Compromise
- [Domain] Malicious C2 domains – culturesketchfinanciall[.]shop, dbeight8pt[.]top, gemcreedarticulateod[.]shop, and 14 more domains (as listed in the article)