Russian threat group Coldriver has expanded its targeting of Western officials with the use of malware to steal sensitive data, Google’s Threat Analysis Group (TAG) has revealed.
Coldriver, AKA Star Blizzard, is linked to Russia’s intelligence service, the FSB. It is known to focus on credential phishing campaigns targeting high-profile NGOs, former intelligence and military officers and NATO governments for espionage purposes.
In December 2023, the UK’s National Cyber Security Centre (NCSC) said the group was behind a sustained cyber campaign aimed at interfering in UK politics and democratic processes.
Recently, TAG said it has observed Coldriver go beyond phishing for credentials to delivering malware capable of exfiltrating sensitive information from the target.
How Coldriver Delivers Malware to Western Officials
Coldriver often impersonates accounts, pretending to be an expert in a particular field, to build a rapport with the target before sending a phishing link designed to steal their credentials.
The Russian hackers send targets benign PDF documents, often presented as an article the impersonation account claims to want to publish, requesting feedback.
When the recipient opens the PDF, they see text that appears encrypted.
If they then respond that they cannot read the encrypted document, the impersonation account sends a link to what it claims to be a “decryption” utility, usually hosted on a cloud storage site.
When clicked on, the decryption utility also displays a decoy document, but is in fact a backdoor called SPICA. This gives the attacker access to the victim’s machine.
TAG believes SPICA is the first custom malware that has been developed and used by Coldriver. It is written in Rust language and uses JSON over websockets for command and control (C2).
Once executed on a device, SPICA opens a decoy PDF document for the user while establishing persistence in the background and starting the main C2 loop. This is achieved via an obfuscated Powershell command that creates a scheduled task named CalendarChecker.
The malware is able to support a number of commands relating to data exfiltration, including:
- Executing arbitrary shell commands
- Uploading and downloading files
- Stealing cookies from Chrome, Firefox, Opera and Edge
- Perusing the filesystem by listing the contents of it
- Enumerating documents and exfiltrating them in an archive
TAG said there may be multiple versions of the SPICA backdoor, each with a different embedded decoy document to match the lure document sent to targets.
Coldriver has been observed deploying SPICA since September 2023. However, TAG believes the group’s use of the backdoor goes back to at least November 2022.
Protecting Users Against SPICA Malware
Google has added all known domains and hashes to its Safe Browsing blocklists to disrupt the Coldriver campaign. It gave the following advice to potential targets to defend themselves:
- Ensure all devices are updated and have enabled the Enhanced Safe Browsing tool for the Chrome browser
- Read the latest research to recognize the tactics and techniques used by groups such as Coldriver
On January 18, 2024, Microsoft detailed a highly sophisticated social engineering campaign by Iran-linked threat actors targeting experts on the Israel-Hamas conflict.