CDN network cache hacked to spread malware across the globe

Hackers are targeting companies around the world with infostealers

When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.

Threat actors known as CoralRaider have been using the Bynny content delivery network (CDN) to distribute infostealers to victims around the world.

Rresearchers Cisco Talos have revealed who said CoralRaider abused the CDN to hide from security solutions, as they delivered LummaC2, Rhadamanthys, and Cryptobot.

CoralRaider is a financially motivated threat actor that targets endpoints in the US, the UK, Germany, and Japan. It is based out of Vietnam, and usually targets devices in Asia and Southeast Asia. However, as of lately, the group seemingly expanded its operations to target victims in the US, Nigeria, Pakistan,Ecuador, Germany, Egypt, the U.K., Poland, the Philippines, Norway, Japan, Syria and Turkey. The group’s activities were first spotted back in 2003, it was added.

Apparently, the group would (most likely) send out phishing emails with an archive attached. This archive would contain a malicious Windows shortcut link (.LNK) which, in turn, carried a PowerShell command that downloads and runs a “heavily obfuscated” HTML application. This app was found on a Bynny subdomain under the attackers’ control.

Stealing login credentials

The app comes with JavaScript code for a PowerShell decrypter script which turns off certain security features and ultimately deploys one of the three above-mentioned infostealers.

Further detailing the threat, Cisco Talos said that the infostealers being distributed were relatively new. LummaC2 and Rhadamanthys each have features which were apparently only added last year, while Cryptobot dates January this year.

According toBleepingComputer, Cryptobot isn’t as popular as LummaC2 or Rhadamanthys, but it’s still dangerous, as it infects more than half a million devices a year.

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

Most of today’s infostealers go after the same information: login credentials to various services, multi-factor authentication (MFA) and one-time passcodes, cryptocurrency wallet data, banking information, and more.

More from TechRadar Pro

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

This new phishing strategy utilizes GitHub comments to distribute malware

Should your VPN always be on?

Phishing attacks surge in 2024 as cybercriminals adopt AI tools and multi-channel tactics