TLDR:
1. CoralRaider malware campaign spreading info-stealers via CDN cache domains since Feb 2024.
2. Targets across multiple countries and business verticals.
A new ongoing malware campaign has been observed distributing three different stealers, such as CryptBot, LummaC2, and Rhadamanthys hosted on Content Delivery Network (CDN) cache domains since at least February 2024. Cisco Talos has attributed the activity with moderate confidence to a threat actor tracked as CoralRaider, a suspected Vietnamese-origin group that came to light earlier this month. Targets of the campaign span various business verticals across geographies, including the U.S., Nigeria, Pakistan, Ecuador, Germany, Egypt, the U.K., Poland, the Philippines, Norway, Japan, Syria, and Turkey.
Attack chains involve users downloading files masquerading as movie files via a web browser, raising the possibility of a large-scale attack. The stealer malware, regardless of what’s deployed, grabs victims’ information, such as system and browser data, credentials, cryptocurrency wallets, and financial information. What’s notable about the campaign is that it utilizes an updated version of CryptBot that packs in new anti-analysis techniques and also captures password manager application databases and authenticator application information.