Threat actors known as CoralRaider have used the Bynny content delivery network (CDN) to distribute infostealers to victims around the world.
Researchers Cisco Talos have revealed who said CoralRaider abused the CDN to hide from security solutions while supplying LummaC2, Rhadamanthys and Cryptobot.
CoralRaider is a financially motivated threat actor targeting endpoints in the US, UK, Germany and Japan. It is based in Vietnam and mostly targets devices in Asia and Southeast Asia. Recently, however, the group has apparently expanded its activities to target victims in the US, Nigeria, Pakistan, Ecuador, Germany, Egypt, Britain, Poland, the Philippines, Norway, Japan, Syria and Turkey. The group’s activities were first noticed in 2003, it added.
Apparently, the group would (most likely) send out phishing emails with an archive attached. This archive allegedly contains a malicious Windows shortcut (.LNK) that in turn contains a PowerShell command that downloads and runs a “heavily obfuscated” HTML application. This app was found on a Bynny subdomain under the attackers’ control.
Stealing credentials
The app comes with JavaScript code for a PowerShell decrypter script that disables certain security features and ultimately deploys one of the three infostealers mentioned above.
Cisco Talos elaborated on the threat, saying the spreading infostealers were relatively new. LummaC2 and Rhadamanthys each have features that were apparently only added last year, while Cryptobot dates back to January this year.
According to BleepingComputerCryptobot is not as popular as LummaC2 or Rhadamanthys, but it is still dangerous, as it infects more than half a million devices per year.
Most of today’s info stealers are after the same information: login credentials for various services, multi-factor authentication (MFA) and one-time passcodes, cryptocurrency wallet details, banking details, and more.