Cisco Talos threat intelligence research group has uncovered a sophisticated and ongoing cyber campaign, targeting victims across multiple countries since at least February 2024 with three infostealer malware variants: Cryptbot, LummaC2, and Rhadamanthys.
This malware is designed to harvest sensitive information from victims, including system and browser data, credentials, cryptocurrency wallets, and financial information.
One of the key findings of the campaign suspected to be linked to CoralRaider, a financially motivated threat actor of Vietnamese origin, disclosed by Talos in early April, is the deployment of a new PowerShell command-line argument embedded within LNK files. It is aimed at bypassing antivirus products and facilitating the download of the final payload onto victims' systems. The campaign leverages a Content Delivery Network (CDN) cache domain as a download server, hosting malicious HTA files and payloads.
Talos researchers have identified several tactics, techniques, and procedures (TTPs) employed in this campaign, bearing similarities to CoralRaider's previous Rotbot campaign. These include the use of Windows Shortcut files as the initial attack vector, intermediate PowerShell decryptors and payload download scripts, as well as the FoDHelper technique to bypass User Access Controls (UAC) on victim machines.
Talos has identified multiple command-and-control (C2) domains utilized by the threat actor in this campaign.
The campaign targets various industries and geographies, with victims reported in countries such as the US, Nigeria, Pakistan, Ecuador, Germany, Egypt, the UK, Poland, the Philippines, Norway, Japan, Syria, and Turkey. Telemetry data indicates that affected users also include employees of Japan's computer service call center organizations and civil defense service organizations in Syria.
According to Talos, the campaign's initial access vector appears to be phishing emails with the links leading to ZIP archives containing Windows shortcut (LNK) files. The shortcut files execute PowerShell scripts to fetch the next-stage HTA payload hosted on the CDN cache. Next, a JavaScript code embedded within the payload launches a concealed PowerShell loader, leading to the deployment of one of the three infostealer malware variants.