Full Report
SentinelOne and Beazley Security say the group has been evolving its techniques of late, all with the goal of making money off stolen data. The post ‘Highly evasive’ Vietnamese-speaking hackers stealing data from thousands of victims in 62+ nations appeared first on CyberScoop.
Analysis Summary
# Threat Actor: Undisclosed Vietnamese-Speaking Threat Group (Potentially linked to CoralRaider)
## Attribution & Identity
The actors are characterized as Vietnamese-speaking hackers. Researchers suggest they are a “long-standing actor” that appears to be based out of Vietnam. Previous analysis by Cisco Talos was unsure if they were affiliated with the **CoralRaider** group (which materialized in early 2024) or another Vietnamese-speaking group. Coding clues within the infostealer software confirm the use of the Vietnamese language.
## Activity Summary
The group is conducting a "highly evasive, multi-stage operation" focused on data theft, actively evolving its tradecraft throughout the current year to be more challenging to detect and analyze. Attacks highlighted recently (last month) demonstrated tailored capabilities to bypass antivirus products and mislead SOC analysts. They have infected thousands of victims across 62+ nations since emerging late last year.
## Tactics, Techniques & Procedures
- Highly evasive, multi-stage deployment chains.
- Proven capabilities to bypass antivirus products.
- Techniques designed to mislead security operations center (SOC) analysts.
- Use of the **PaxStealer** infostealer.
- Automation of resale and reuse of stolen data via a subscription-based ecosystem.
## Targeting
- Sectors: Targeting has become wide and indiscriminate/opportunistic, encompassing **corporate and home users**. Previous reports indicated targeting of **governmental and educational organizations** in Europe and Asia.
- Geography: Victims identified in **62+ nations**, most commonly South Korea, the United States, the Netherlands, Hungary, and Austria.
- Victims: Thousands of victims identified, spanning a wide spectrum of ‘user types.’ **No specific organizations** were detailed in this summary.
## Tools & Infrastructure
- Malware families used: **PaxStealer** (an infostealer previously reported on by Cisco Talos).
- Infrastructure: The actors utilize the **Telegram** messaging platform to automate the resale/reuse of stolen data to other cybercriminals.
## Implications
This actor poses a significant financial threat due to their highly evasive evolution and focus on mass data exfiltration. The group successfully automates the monetization of stolen credentials, credit cards, and browser cookies by selling access to other cybercriminals who use that access for additional crimes like cryptocurrency theft. Their refined tradecraft makes detection challenging.
## Mitigations
- Implement robust endpoint detection and response (EDR) solutions capable of detecting highly evasive processes and fileless techniques.
- Scrutinize network activity for command-and-control communications originating from Telegram or related infrastructure.
- Ensure all security controls (especially AV/EDR) are kept up-to-date to counter known evasion techniques.
- Monitor for indicators related to the **PaxStealer** malware family.