Russian threat group Coldriver has expanded its targeting of Western officials by using malware to steal sensitive data, Google’s Threat Analysis Group (TAG) has revealed.
Coldriver, aka Star Blizzard, is linked to the Russian intelligence service, the FSB. It is known to focus on credential phishing campaigns targeting high-profile NGOs, former intelligence and military officers, and NATO governments for espionage purposes.
In December 2023, the UK’s National Cyber Security Center (NCSC) says the group was behind a sustained cyber campaign aimed at interfering in UK politics and democratic processes.
Recently, TAG said it has observed Coldriver going beyond phishing to obtain credentials and offering malware capable of exfiltrating sensitive information from the target.
How Coldriver transmits malware to Western officials
Coldriver often impersonates accounts, posing as an expert in a particular field, to establish a relationship with the target before sending a phishing link designed to steal their credentials.
Russian hackers send their targets innocuous PDF documents, often presented in the form of an article that the impersonation account claims to want to publish, asking for feedback.
When the recipient opens the PDF, they see the text which appears encrypted.
If they then respond that they can’t read the encrypted document, the impersonator account sends a link to what it claims is a “decryption” utility, usually hosted on a cloud storage site.
When clicked, the decryption utility also displays a decoy document, but it is actually a backdoor called SPICA. This gives the attacker access to the victim’s machine.
TAG believes that SPICA is the first custom malware developed and used by Coldriver. It is written in the Rust language and uses JSON over websockets for command and control (C2).
When executed on a device, SPICA opens a decoy PDF document for the user while establishing persistence in the background and starting the main C2 loop. This is achieved via an obfuscated Powershell command that creates a scheduled task named CalendarChecker.
The malware is capable of taking over a number of commands related to data exfiltration, including:
- Execute arbitrary shell commands
- Uploading and Uploading Files
- Stealing cookies on Chrome, Firefox, Opera and Edge
- Browse the file system, listing its contents
- List documents and exfiltrate them into an archive
TAG said there could be multiple versions of the SPICA backdoor, each with a different embedded decoy document to match the decoy document sent to targets.
Coldriver has been observed deploying SPICA since September 2023. However, TAG estimates that the group’s use of the backdoor dates back to at least November 2022.
Protecting users from SPICA malware
Google has added everything known domains and hashes to its Safe Browsing blocklists to disrupt the Coldriver campaign. He gave the following advice to potential targets to defend themselves:
- Make sure all devices are updated and have enabled the Enhanced Safe Browsing tool for Chrome Browser.
- Read the latest research to recognize the tactics and techniques used by groups like Coldriver.
On January 18, 2024, Microsoft detailed a highly sophisticated social engineering campaign carried out by Iran-linked threat actors targeting experts on the Israel-Hamas conflict.