In recent findings, Cisco Talos has uncovered a new threat actor, dubbed “CoralRaider,” believed to originate from Vietnam and driven by financial motivations. Operating since at least 2023, CoralRaider has targeted victims primarily across Asian and Southeast Asian countries, focusing on the theft of credentials, financial data, and social media accounts, including business and advertisement profiles.The group employs sophisticated tactics, leveraging customized variants of known malware such as RotBot (a modified version of QuasarRAT) and the XClient stealer as primary payloads in their campaigns. Notably, CoralRaider utilizes the dead drop technique, utilizing legitimate services to host C2 configuration files and uncommon living-off-the-land binaries (LoLBins) like Windows Forfiles.exe and FoDHelper.exe.

In a recent discovery made by Talos in February 2024, CoralRaider has initiated a new campaign distributing renowned infostealer malware, including Cryptbot, LummaC2, and Rhadamanthys. Employing innovative tactics, the threat actor embeds PowerShell command-line arguments within LNK files to evade antivirus detection and facilitate payload downloads onto victim hosts.Furthermore, the campaign utilizes Content Delivery Network (CDN) cache domains as download servers for hosting malicious HTA files and payloads, adding another layer of complexity to their operations. Talos assesses with moderate confidence that CoralRaider is behind this campaign, noting overlaps in tactics, techniques, and procedures (TTPs) observed in previous Rotbot campaigns. These include the utilization of Windows Shortcut files as initial attack vectors, intermediate PowerShell decryptors, and FoDHelper techniques to bypass User Access Controls (UAC) on victim machines.

This research sheds light on the evolving tactics of CoralRaider and underscores the importance of continuous threat intelligence to combat emerging cyber threats effectively. Understanding the modus operandi of such threat actors is crucial for bolstering defenses and mitigating risks in today’s cybersecurity landscape.

Cisco Talos discover a new cyber threat known as "DragonRank." This sophisticated threat actor primarily targets countries in Asia and a select few in Europe, utilizing advanced malware such as PlugX and BadIIS for search engine optimization (SEO) rank manipulation.

DragonRank exploits vulnerabilities in web application services to deploy web shells, which are then used to gather system information and launch malicious payloads. Their arsenal includes the PlugX malware, which employs familiar sideloading techniques and leverages the Windows Structured Exception Handling (SEH) mechanism to ensure seamless and undetected execution. Additionally, they deploy BadIIS malware across compromised IIS servers, running various credential-harvesting utilities.

Our research has confirmed that over 35 IIS servers have been compromised in this campaign, with infections spreading across diverse geographic regions, including Thailand, India, Korea, Netherlands, and China. Furthermore, Talos has uncovered DragonRank’s commercial website, business model, and instant message accounts, leading us to assess with medium to high confidence that the group operates under a Simplified Chinese-speaking actor.

This session will delve into the tactics, techniques, and procedures (TTPs) employed by DragonRank, providing valuable insights into their operations and methods. We will also discuss the implications of this threat and offer guidance on how to bolster defenses against such sophisticated cyber attacks.