Vietnam-Based Hackers Steal Financial Data Across Asia with Malware

We Keep you Connected

Vietnam-Based Hackers Steal Financial Data Across Asia with Malware

Financial Data

A suspected Vietnamese-origin blackmail actor has been noticed concentrated on sufferers in different Asian and Southeast Asian international locations with malware designed to reap reliable information since a minimum of Might 2023.

Cisco Talos is monitoring the accumulation underneath the title CoralRaider, describing it as financially determined. Goals of the marketing campaign come with Republic of India, China, South Korea, Bangladesh, Pakistan, Indonesia, and Vietnam.

“This group focuses on stealing victims’ credentials, financial data, and social media accounts, including business and advertisement accounts,” safety researchers Chetan Raghuprasad and Joey Chen said. “They use RotBot, a customized variant of Quasar RAT, and XClient stealer as payloads.”

Alternative commodity malware impaired via the gang accommodates a mixture of far flung get entry to trojans and data stealers reminiscent of AsyncRAT, NetSupport RAT, and Rhadamanthys.


The concentrated on of industrial and commercial accounts has been of specific center of attention for attackers working out of Vietnam, with diverse stealer malware households like Ducktail, NodeStealer, and VietCredCare deployed to rush keep watch over of the accounts for additional monetization.

The modus operandi includes the usefulness of Telegram to exfiltrate the stolen data from sufferer machines, which is next traded in underground markets to generate illicit revenues.

“CoralRaider operators are based in Vietnam, based on the actor messages in their Telegram C2 bot channels and language preference in naming their bots, PDB strings, and other Vietnamese words hard-coded in their payload binaries,” the researchers mentioned.

Assault chains get started with a Home windows shortcut record (LNK), even if there’s lately refuse sunlit rationalization as to how those information are allotted to the goals.

Financial Data

Will have to the LNK record be opened, an HTML software (HTA) record is downloaded and achieved from an attacker-controlled obtain server, which, in flip, runs an embedded Optic Plain script.

The script, for its section, decrypts and sequentially executes 3 alternative PowerShell scripts which are liable for appearing anti-VM and anti-analysis assessments, circumventing Home windows Consumer Get entry to Keep watch over (UAC), disabling Home windows and alertness notifications, and downloading and operating RotBot.

RotBot is configured to touch a Telegram bot and retrieve the XClient stealer malware and explode it in reminiscence, in the long run facilitating the robbery of cookies, credentials, and monetary data from internet browsers like Courageous, Cốc Cốc, Google Chrome, Microsoft Edge, Mozilla Firefox, and Opera; Discord and Telegram information; and screenshots.

XClient may be engineered to siphon information from sufferers’ Fb, Instagram, TikTok and YouTube accounts, amassing information about the fee modes and permissions related to their Fb trade and advertisements accounts.

“RotBot is a variant of the Quasar RAT client that the threat actor has customized and compiled for this campaign,” the researchers mentioned. “[XClient] has extensive information-stealing capability through its plugin module and various modules for performing remote administrative tasks.”


The advance comes as Bitdefender disclosed main points of a malvertising marketing campaign on Fb that’s benefiting from the excitement shape generative AI equipment to push an collection of data stealers like Rilide, Vidar, IceRAT, and a unutilized entrant referred to as Nova Stealer.

The initiation level of the assault is the blackmail actor taking up an current Fb account and enhancing its look to imitate leading AI equipment from Google, OpenAI, and Midjourney, and increasing their achieve via operating subsidized advertisements at the platform.

One is imposter web page masquerading as Midjourney had 1.2 million fans ahead of it used to be taken indisposed on March 8, 2023. The blackmail actors managing the web page have been basically from Vietnam, the U.S., Indonesia, the U.Okay., and Australia, amongst others.

“The malvertising campaigns have tremendous reach through Meta’s sponsored ad system and have actively been targeting European users from Germany, Poland, Italy, France, Belgium, Spain, the Netherlands, Romania, Sweden, and elsewhere,” the Romanian cybersecurity corporate said.