Threat actors known as CoralRaider have been using the Bynny content delivery network (CDN) to distribute infostealers to victims around the world.
Rresearchers Cisco Talos have revealed who said CoralRaider abused the CDN to hide from security solutions, as they delivered LummaC2, Rhadamanthys, and Cryptobot.
CoralRaider is a financially motivated threat actor that targets endpoints in the US, the UK, Germany, and Japan. It is based out of Vietnam, and usually targets devices in Asia and Southeast Asia. However, as of lately, the group seemingly expanded its operations to target victims in the US, Nigeria, Pakistan,Ecuador, Germany, Egypt, the U.K., Poland, the Philippines, Norway, Japan, Syria and Turkey. The group’s activities were first spotted back in 2003, it was added.
Apparently, the group would (most likely) send out phishing emails with an archive attached. This archive would contain a malicious Windows shortcut link (.LNK) which, in turn, carried a PowerShell command that downloads and runs a “heavily obfuscated” HTML application. This app was found on a Bynny subdomain under the attackers’ control.
Stealing login credentials
The app comes with JavaScript code for a PowerShell decrypter script which turns off certain security features and ultimately deploys one of the three above-mentioned infostealers.
Further detailing the threat, Cisco Talos said that the infostealers being distributed were relatively new. LummaC2 and Rhadamanthys each have features which were apparently only added last year, while Cryptobot dates January this year.
According to BleepingComputer, Cryptobot isn’t as popular as LummaC2 or Rhadamanthys, but it’s still dangerous, as it infects more than half a million devices a year.
Most of today’s infostealers go after the same information: login credentials to various services, multi-factor authentication (MFA) and one-time passcodes, cryptocurrency wallet data, banking information, and more.
