CDN network cache hacked to spread malware across the globe
Hackers are targeting companies around the world with infostealers
Threat actors known as CoralRaider have been using the Bynny content delivery network (CDN) to distribute infostealers to victims around the world.
Rresearchers Cisco Talos have revealed who said CoralRaider abused the CDN to hide from security solutions, as they delivered LummaC2, Rhadamanthys, and Cryptobot.
CoralRaider is a financially motivated threat actor that targets endpoints in the US, the UK, Germany, and Japan. It is based out of Vietnam, and usually targets devices in Asia and Southeast Asia. However, as of lately, the group seemingly expanded its operations to target victims in the US, Nigeria, Pakistan,Ecuador, Germany, Egypt, the U.K., Poland, the Philippines, Norway, Japan, Syria and Turkey. The group’s activities were first spotted back in 2003, it was added.
Apparently, the group would (most likely) send out phishing emails with an archive attached. This archive would contain a malicious Windows shortcut link (.LNK) which, in turn, carried a PowerShell command that downloads and runs a “heavily obfuscated” HTML application. This app was found on a Bynny subdomain under the attackers’ control.
Stealing login credentials
The app comes with JavaScript code for a PowerShell decrypter script which turns off certain security features and ultimately deploys one of the three above-mentioned infostealers.
Further detailing the threat, Cisco Talos said that the infostealers being distributed were relatively new. LummaC2 and Rhadamanthys each have features which were apparently only added last year, while Cryptobot dates January this year.
According to BleepingComputer, Cryptobot isn’t as popular as LummaC2 or Rhadamanthys, but it’s still dangerous, as it infects more than half a million devices a year.
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
Most of today’s infostealers go after the same information: login credentials to various services, multi-factor authentication (MFA) and one-time passcodes, cryptocurrency wallet data, banking information, and more.
More from TechRadar Pro
- North Korean hacking group attacks ScreenConnect flaws to drop dangerous new malware
- Here's a list of the best firewalls around today
- These are the best endpoint security tools right now
Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.