Trio of Info-Stealing Malware Targets Organizations Worldwide

A cyber threat campaign distributing three information-stealing malware since at least February 2024 has been reported by Cisco Talos researchers. This campaign, attributed with moderate confidence to a threat actor known as CoralRaider, deploys three malware variants: Cryptbot, LummaC2, and Rhadamanthys. Analysis of this campaign reveals that it spans multiple countries and targets a diverse array of sectors. Cisco Talos has identified affected entities in the United States, United Kingdom, Nigeria, Pakistan, Ecuador, Germany, Egypt, Poland, the Philippines, Norway, Japan, Syria, and Turkey, with "some affected users from Japan’s computer service call center organizations and civil defense service organizations in Syria."

The CoralRaider campaign involves a multi-stage infection chain that begins when a victim downloads a malicious ZIP file containing a compromised Windows shortcut file. This file executes a PowerShell command to download and run an HTA file from a content delivery network (CDN) controlled by the attackers. The attackers utilize "a CDN cache to store the malicious files on their network edge host in this campaign, avoiding request delays. The actor is using the CDN cache as a download server to deceive network defenders." The HTA file contains heavily obfuscated JavaScript, which, upon execution, decrypts and runs an embedded PowerShell script crucial for executing the payload directly into the system’s memory. Evasion techniques include using the native "fodhelper.exe" binary to bypass User Access Controls (UAC), excluding the “ProgramData” folder from Windows Defender, and modifying the HKCU\Software\Classes\ms-settings\shell\open\command registry keys.

CryptBot, first identified in 2019, has been enhanced to more effectively evade security measures, stealing data such as browser credentials, cryptocurrency details, and system screenshots. It employs VMProtect for obfuscation and adapts to extract data across various application versions and file extensions, highlighting its capabilities to access sensitive information from password managers and two-factor authentication systems.LummaC2 and Rhadamanthys further compound the threat landscape.

LummaC2 uses encrypted communications to connect with multiple C2 servers, ensuring operational persistence and resilience. It has expanded its targeting to include Discord credentials. Rhadamanthys achieves stealth through a two-stage Python script for memory-based execution, capable of advanced process injections and potentially executing shellcode. This malware variant integrates its malicious operations within legitimate system processes using a custom loader module, seamlessly blending into normal system activities.