I feel like over the past several years, the "holiday" that is April Fool's Day has really died down. At this point, there are few headlines you can write that would be more ridiculous than something you'd find on a news site any day of the week.

And there are so many more serious issues that are developing, too, that making a joke about a fake news story is just in bad taste, even if it's in "celebration" of a "holiday."

Thankfully in the security world, I think we've all gotten the hint at this point that we can't just post whatever we want on April 1 of each calendar year and expect people to get the joke. I've put my guard down so much at this point that I actually did legitimately fall for one April Fool's joke from Nintendo, because I could definitely see a world in which they release a Virtual Boy box for the Switch that would allow you to play virtual reality games.

But at least from what I saw on April 1 of this year, no one tried to "get" anyone with an April Fool's joke about a ransomware actor requesting payment in the form of "Fortnite" in-game currency, or an internet-connected household object that in no universe needs to be connected to the internet (which, as it turns out, smart pillows exist!).

We're already dealing with digitally manipulated photos of "Satanic McDonalds," Twitter's AI generating fake news about the solar eclipse, and an upcoming presidential election that is sure to generate a slew of misinformation, AI-generated photos and more that I hesitate to even make up.

So, all that is to say, good on you, security community, for just letting go of April Fool's. Our lives are too stressful without bogus headlines that we, ourselves, generate.

The one big thing

Talos discovered a new threat actor we're calling "CoralRaider" that we believe is of Vietnamese origin and financially motivated. CoralRaider has been operating since at least 2023, targeting victims in several Asian and Southeast Asian countries. This group focuses on stealing victims' credentials, financial data, and social media accounts, including business and advertisement accounts. CoralRaider appears to use RotBot, a customized variant of QuasarRAT, and XClient stealer as payloads. The actor uses the dead drop technique, abusing a legitimate service to host the C2 configuration file and uncommon living-off-the-land binaries (LoLBins), including Windows Forfiles.exe and FoDHelper.exe

Why do I care?

This is a brand new actor that we believe is acting out of Vietnam, traditionally not a country who is associated with high-profile state-sponsored actors. CoralRaider appears to be after targets' social media logins, which can later be leveraged to spread scams, misinformation, or all sorts of malicious messages using the victimized account.

So now what?

CoralRaider primarily uses malicious LNK files to spread their malware, though we currently don't know how those files are spread, exactly. Threat actors have started shifting toward using LNK files as an initial infection vector after Microsoft disabled macros by default – macros used to be a primary delivery system. For more on how the info in malicious LNK files can allow defenders to learn more about infection chains, read our previous research here.

Top security headlines of the week

The security community is still reflecting on the "What If" of the XZ backdoor that was discovered and patched before threat actors could exploit it. A single Microsoft developer, who works on a different open-source project, found the backdoor in xz Utils for Linux distributions several weeks ago seemingly on accident, and is now being hailed as a hero by security researchers and professionals. Little is known about the user who had been building the backdoor in the open-source utility for at least two years. Had it been exploited, the vulnerability would have allowed its creator to hijack a user's SSH connection and secretly run their own code on that user's machine. The incident is highlighting networking's reliance on open-source projects, which are often provided little resource and usually only maintained as a hobby, for free, by individuals who have no connection to the end users. The original creator of xz Utils worked alone for many years, before they had to open the project because of outside stressors and other work. Government officials have also been alarmed by the near-miss, and are now considering new ways to protect open-source software. (New York Times, Reuters)

AT&T now says that more than 51 million users were affected by a data breach that exposed their personal information on a hacking forum. The cable, internet and cell service provider has still not said how the information was stolen. The incident dates back to 2021, when threat actor ShinyHunters initially offered the data for sale for $1 million. However, that data leaked last month on a hacking forum belonging to an actor known as "MajorNelson." AT&T's notification to affected customers stated that, "The [exposed] information varied by individual and account, but may have included full name, email address, mailing address, phone number, social security number, date of birth, AT&T account number and AT&T passcode." The company has also started filing required formal notifications with U.S. state authorities and regulators. While AT&T initially denied that the data belonged to them, reporters and researchers soon found that the information were related to AT&T and DirecTV (a subsidiary of AT&T) accounts. (BleepingComputer, TechCrunch)

Another ransomware group claims they've stolen data from United HealthCare, though there is little evidence yet to prove their claim. Change Health, a subsidiary of United, was recently hit with a massive data breach, pausing millions of dollars of payments to doctors and healthcare facilities to be paused for more than a month. Now, the ransomware gang RansomHub claims it has 4TB of data, requesting an extortion payment from United, or it says it will start selling the data to the highest bidder 12 days from Monday. RansomHub claims the stolen information contains the sensitive data of U.S. military personnel and patients, as well as medical records and financial information. Blackcat initially stated they had stolen the data, but the group quickly deleted the post from their leak site. A person representing RansomHub told Reuters that a disgruntled affiliate of Blackcat gave the data to RansomHub after a previous planned payment fell through. (DarkReading, Reuters)

Can't get enough Talos?

• Talos Takes Ep. #178: Turla has been around for 20-plus years at this point, but they're still mixing things up
• Vulnerability in some TP-Link routers could lead to factory reset
• April's Patch Tuesday includes 150 vulnerabilities, 60 which could lead to remote code execution
• Vietnamese Cybercrime Group CoralRaider Nets Financial Data
• Safeguarding Against CoralRaider: Protecting Your Data from Vietnamese Hackers

Upcoming events where you can find Talos

Botconf** (April 23 - 26)**

Nice, Cote d'Azur, France

> This presentation from Chetan Raghuprasad details the Supershell C2 framework. Threat actors are using this framework massively and creating botnets with the Supershell implants.

CARO Workshop 2024** (May 1 - 3)**

Arlington, Virginia

> Over the past year, we've observed a substantial uptick in attacks by YoroTrooper, a relatively nascent espionage-oriented threat actor operating against the Commonwealth of Independent Countries (CIS) since at least 2022. Asheer Malhotra's presentation at CARO 2024 will provide an overview of their various campaigns detailing the commodity and custom-built malware employed by the actor, their discovery and evolution in tactics. He will present a timeline of successful intrusions carried out by YoroTrooper targeting high-value individuals associated with CIS government agencies over the last two years.

RSA** (May 6 - 9)**

San Francisco, California

Most prevalent malware files from Talos telemetry over the past week

SHA 256: c67b03c0a91eaefffd2f2c79b5c26a2648b8d3c19a22cadf35453455ff08ead0 **MD5:**8c69830a50fb85d8a794fa46643493b2 **Typical Filename:**AAct.exe **Claimed Product:**N/A Detection Name: PUA.Win.Dropper.Generic::1201

SHA 256: abaa1b89dca9655410f61d64de25990972db95d28738fc93bb7a8a69b347a6a6 **MD5:**22ae85259273bc4ea419584293eda886 **Typical Filename:**KMSAuto++ x64.exe **Claimed Product:**KMSAuto++ Detection Name: W32.File.MalParent

SHA 256: 161937ed1502c491748d055287898dd37af96405aeff48c2500b834f6739e72d **MD5:**fd743b55d530e0468805de0e83758fe9 **Typical Filename:**KMSAuto Net.exe **Claimed Product:**KMSAuto Net Detection Name: PUA.Win.Tool.Kmsauto::1201

SHA 256:b8aec57f7e9c193fcd9796cf22997605624b8b5f9bf5f0c6190e1090d426ee31
MD5: 2fb86be791b4bb4389e55df0fec04eb7 **Typical Filename:**KMSAuto Net.exe **Claimed Product:**KMSAuto Net **Detection Name: **W32.File.MalParent

SHA 256: 58d6fec4ba24c32d38c9a0c7c39df3cb0e91f500b323e841121d703c7b718681 **MD5:**f1fe671bcefd4630e5ed8b87c9283534 **Typical Filename:**KMSAuto Net.exe **Claimed Product:**KMSAuto Net **Detection Name: **PUA.Win.Tool.Hackkms::1201