Suspected CoralRaider continues to expand victimology using three information stealers

Cisco Talos attributes an ongoing campaign since at least February 2024 to suspected CoralRaider, distributing CryptBot, LummaC2 and Rhadamanthys via malicious LNK files that launch an HTA/PowerShell chain hosted on CDN cache domains. The chain uses a novel PowerShell argument in the LNK, heavy obfuscation and a FoDHelper/ProgID UAC bypass to deploy payloads into C:ProgramData; remediation and IOCs are published by Talos. #CoralRaider #CryptBot

Keypoints

Cisco Talos observed a campaign using malicious Windows shortcut (.LNK) files that execute PowerShell to run remote HTA files hosted on CDN cache domains.
The HTA contains obfuscated JavaScript that decodes and invokes an embedded PowerShell AES decryptor, which loads a PowerShell loader into memory.
The PowerShell loader drops and executes batch scripts that add C:ProgramData to Windows Defender exclusions and uses FoDHelper with a custom ProgID (ServiceHostXGRT → CurVer) to bypass UAC.
The loader downloads one of three information stealers—CryptBot, LummaC2 or Rhadamanthys—saves the payload as X1xDd.exe in C:ProgramData and executes it via the same FoDHelper technique.
LummaC2 samples use encrypted C2 lists (nine domains) with per-sample keys; the actor uses multiple CDN edge URLs and various C2 domains to host and manage payloads.
Rhadamanthys is delivered via a Python-based loader that decodes and injects the malware into chosen system processes using a custom “XS” loader format and process injection.
Talos published ClamAV detections and a raw IOC list on GitHub to assist detection and blocking of the campaign.

MITRE Techniques

[T1204] User Execution – The campaign begins when “a victim opens the malicious shortcut file from a ZIP file downloaded using the drive-by download technique” (‘The infection chain starts when a victim opens the malicious shortcut file from a ZIP file downloaded using the drive-by download technique’).
[T1059.001] PowerShell – “Windows shortcut file runs a PowerShell command to download and run an HTML application file” demonstrating use of PowerShell as the primary execution and loader mechanism (‘Windows shortcut file runs a PowerShell command to download and run an HTML application file on the victim’s machine’).
[T1218.005] Mshta (Signed Binary Proxy Execution) – The actor locates and uses mshta.exe to execute a remotely hosted HTA: “gets the executable name ‘mshta.exe’… executes the remotely hosted malicious HTA file” (‘gets the executable name “mshta.exe.” Using mshta.exe, the PowerShell instance executes the remotely hosted malicious HTA file on the victim’s machine’).
[T1027] Obfuscated Files or Information – The HTA and scripts are heavily obfuscated and decode runtime code: “The malicious HTML application file is heavily obfuscated and has a Javascript that decodes and executes a function” (‘The malicious HTML application file is heavily obfuscated and has a Javascript that decodes and executes a function’).
[T1105] Ingress Tool Transfer – The actor hosts the HTA and payloads on CDN edge/cache URLs to deliver tooling: “using the CDN cache as a download server” (‘the actor is using a Content Delivery Network (CDN) cache to store the malicious files on their network edge host… The actor is using the CDN cache as a download server’).
[T1548.002] Bypass User Account Control – FoDHelper abuse and ProgID/CurVer manipulation are used to elevate execution without prompts: “the FoDHelper technique used to bypass User Access Controls (UAC)” (‘the FoDHelper technique used to bypass User Access Controls (UAC) of the victim machine’).
[T1055] Process Injection – Rhadamanthys is injected into other processes via a custom loader: “Python scripts load the Rhadamanthys malware in two stages… inject Rhadamanthys malware into the process” (‘the Python script uses the Windows API to allocate a memory block and inject Rhadamanthys malware into the process’).
[T1005] Data from Local System – The deployed information stealers harvest local system/browser/credential data: “These information stealers target victims’ information, such as system and browser data, credentials, cryptocurrency wallets” (‘These information stealers target victims’ information, such as system and browser data, credentials, cryptocurrency wallets’).
[T1070] Indicator Removal on Host – The loader removes registry keys after use to reduce detection: “Finally, it deletes the configured registry keys to evade detection” (‘Finally, it deletes the configured registry keys to evade detection’).

Indicators of Compromise

[CDN domains] download hosts for HTA/payloads – hxxps://techsheck[.]b-cdn[.]net/Zen90, hxxps://denv-2[.]b-cdn[.]net/FebL5, and multiple other b-cdn edge URLs listed in Talos.
[LummaC2 C2 domains] encrypted C2 list (9) – peasanthovecapspll[.]shop, gemcreedarticulateod[.]shop, and 7 more domains (Talos decrypted list of nine C2 hosts).
[File names] payloads and dropped scripts – X1xDd.exe (downloaded payload saved to C:ProgramData), r.bat (dropped batch script executed via FoDHelper).
[Registry keys/ProgID] UAC bypass artifacts – HKCU:SoftwareClassesServiceHostXGRTShellOpencommand -> %temp%r.bat and HKCU:SoftwareClassesms-settingsCurVer (used to translate to ms-settings shellopencommand).
[Malicious URLs / IOC repository] Talos published IOC text – https://raw.githubusercontent.com/Cisco-Talos/IOCs/main/2024/04/victimology-using-three-information-stealers.txt (full IOC list).

Rewrite the entire article focusing only on the key points related to the technical procedure. Exclude unrelated or non-technical information. Present the rewritten version in a maximum of three well-structured paragraphs that improve clarity, flow, and reader engagement. Use fresh, natural wording and vary the sentence structure so it differs from the original, while preserving all essential technical details and the original meaning.

The attack chain begins with a malicious Windows shortcut (.LNK) delivered inside a ZIP file (often via drive‑by download or phishing). The LNK embeds a PowerShell command that queries the registry for the mshta.exe executable and then runs a remotely hosted HTA from an actor-controlled CDN cache. That HTA contains heavily obfuscated JavaScript which decodes and executes an embedded PowerShell AES decryptor; the decryptor derives a 256‑byte AES key from a base64 string and IV and uses it to decrypt and execute the next-stage PowerShell loader directly in memory.

The in-memory PowerShell loader is modular: it drops a batch file (r.bat) into %TEMP%, writes commands to add C:ProgramData to Windows Defender exclusions, and then leverages FoDHelper (a high‑integrity Microsoft binary) together with a crafted ProgID (ServiceHostXGRT → CurVer → ms-settings shellopencommand) to execute the batch elevated and bypass UAC without user prompts. The loader then downloads one of three information stealers to C:ProgramDataX1xDd.exe, overwrites the batch with a second stage to launch the payload via the same FoDHelper flow, and removes the temporary registry entries to reduce forensic artifacts.

The payload options observed are CryptBot (packed variants, expanded targeting including password managers and authenticators), LummaC2 (custom-obfuscated builds with per-sample encrypted C2 lists that try up to nine hosts), and Rhadamanthys (delivered via a Python-based loader that decodes, allocates memory, and injects the malware into selected system processes using a custom “XS” loader format). The actor uses CDN edge URLs for fast hosting and multiple C2 domains for resilience; defenders should block the listed CDN/C2 hosts, monitor for the specific LNK/HTA/PowerShell patterns, and detect FoDHelper/ProgID registry abuse and unexpected additions to Defender exclusion lists.