April 24, 2024 By Bill Toulas
A threat actor has been using a content delivery network cache to store information-stealing malware in an ongoing campaign targeting systems U.S., the U.K., Germany, and Japan.
Researchers believe that behind the campaign is CoralRaider, a financially motivated threat actor focused on stealing credentials, financial data, and social media accounts.
The hackers deliver LummaC2, Rhadamanthys, and Cryptbot info stealers that are available on underground forums from malware-as-a-service platforms for a subscription fee.
Cisco Talos assesses with moderate confidence that the campaign is a CoralRaider operation, based on similarities in tactics, techniques, and procedures (TTPs) with past attacks attributed to the threat actor.
Hints pointing to CoralRaider include the initial attack vectors, the use of intermediate PowerShell scripts for decryption and payload delivery, and specific methods to bypass User Access Controls (UAC) on victim machines.
Cisco Talos
