Russian hacker Coldriver extends tactics to include custom malware

Russian state-sponsored actor Coldriver, known for using spearphishing attacks on high-profile government accounts in Western countries for cyberespionage, has evolved tacts to include custom malware in its campaigns, according to a Google Threat Analysis Group (TAG) report.

Also tracked as UNC4057, Star Blizzard, Blue Charlie, and Callisto, the Russian-backed advanced persistent threat (APT) has been found using a custom backdoor “SPICA” on victim systems to steal information, execute arbitrary commands, and establish persistence.

“Recently, TAG has observed Coldriver continue its evolution by going beyond phishing for credentials, to delivering malware via campaigns using PDFs as lure documents,” said TAG in the report. “TAG has disrupted the following campaign by adding all known domains and hashes to Safe Browsing blocklists.”

Coldriver is popularly known for its credential phishing activities against high-profile individuals in NGOs, former intelligence and military officers, and NATO governments, focused mainly on the US and UK.

PDF lure used for malware delivery

In its latest campaign, Coldriver has been observed using impersonation accounts to deliver an encrypted PDF file to the target systems, acting as a lure to initiate infection.

“As far back as November 2022, TAG has observed Coldriver sending targets benign PDF documents from impersonation accounts,” TAG said. “Coldriver presents these documents as a new op-ed or other type of article that the impersonation account is looking to publish, asking for feedback from the target.”

When the user tries opening the PDF, the content appears to be encrypted text. If the target reaches out for decryption, he is presented with a link, usually hosted on a cloud storage site, to a “decryption” utility. The utility, along with displaying a decoy “decrypted” document, is the SPICA backdoor in stealth.

While Coldriver has used a malware before, SPICA is the first custom malware attributed to it. “In 2015 and 2016, TAG observed Coldriver using the Scout implant that was leaked during the Hacking Team incident of July 2015.”

SPICA is a multifaceted backdoor

TAG’s analysis of SPICA binary revealed that it’s written in RUST, a low-level programming language used for building operating systems, kernels, and device drivers. The binary uses JavaScript Object Notation (JSON), a text-based data interchange format, over websockets for command and control (C2).

“Once executed, SPICA decodes an embedded PDF, writes it to disk, and opens it as a decoy for the user,” TAG added. “In the background, it establishes persistence and starts the main C2 loop, waiting for commands to execute.”

SPICA supports a number of commands for varied attacks which include, arbitrary shell commands, uploads and downloads, stealing cookies from Chrome, Firefox, Opera, and Edge, and enumerate documents and exfiltrating them in an archive. There is also a “Telegram” command TAG noticed but couldn’t further analyze its specific functionality.

SPICA establishes persistence by creating a scheduled task named CalendarChecker, using an obfuscated PowerShell command. For user awareness, TAG has shared indicators of compromise (IOCs) which included hashes of observed pdf documents, some SPICA instances, and observed C2 domain.


Go to Source