COLDRIVER [1] [3] [5], a Russia-backed advanced persistent threat (APT) group [4], has recently evolved their tactics by developing custom malware called “Spica.” This marks a significant shift from their previous focus on phishing emails for credential harvesting.
Description
The new campaign, known as Coldriver, begins by creating impersonation accounts to build trust with the target [2]. Instead of phishing emails [2], the hackers now send victims a malware-laden file. Spica [4], written in the Rust programming language [1] [2] [3] [4] [5], is the first known example of custom malware developed by the hacking group [2].
The attack chains utilize PDFs as decoy documents [3] [5], which are sent from the impersonation accounts [2] [3]. When victims attempt to open the PDF file [2], they are greeted with an encrypted text snippet [2]. If they request an unencrypted copy [2], they are given a link to a cloud-hosted “decryption utility” that is actually a backdoor named SPICA [2] [3]. This grants COLDRIVER covert access to the victim’s machine [3].
Once SPICA infects a user’s computer [2], it runs a PowerShell script that establishes persistence and starts the main command and control loop. The malware communicates with remote command and control servers using the WebSockets networking protocol and sends data in JSON format [2]. Microsoft has identified their use of server-side scripts to prevent automated scanning and determine targets of interest [3].
Google TAG has discovered that COLDRIVER has been using benign PDF documents since November 2022 to entice targets [3]. The PDFs appear encrypted [3], and if the recipient responds stating they cannot read the document [3], they are provided with a link to a purported decryption tool [3]. However, this tool is actually a backdoor named SPICA [3], which grants COLDRIVER covert access to the machine [3]. SPICA uses JSON over WebSockets for command-and-control [3], allowing the execution of shell commands [3], theft of cookies [3], file uploading and downloading [3], and file enumeration and exfiltration [3].
Google believes that COLDRIVER has been using this malware since at least November 2022 and has created multiple versions of the file [2]. Google TAG has taken steps to disrupt the campaign by adding associated websites [3], domains [3], and files to Safe Browsing blocklists [3]. Additionally, the UK and US governments have sanctioned two Russian members of COLDRIVER for their involvement in spear-phishing operations [3]. French cybersecurity firm Sekoia has linked one of the sanctioned individuals to known infrastructure used by the group [3].
Conclusion
The development of custom malware by COLDRIVER represents a significant evolution in their tactics, moving away from phishing emails towards more sophisticated methods. The use of encrypted PDFs and the backdoor SPICA demonstrate their increasing capabilities. Mitigation efforts by Google TAG and government sanctions are important steps in disrupting their operations. However, the fact that COLDRIVER is believed to contribute to Russian intelligence efforts raises concerns, especially as election season approaches. Vigilance and continued efforts to counter these threats are crucial for maintaining cybersecurity.
References
[1] https://www.linkedin.com/posts/wdevaultnew-docker-malware-steals-cpu-for-crypto-activity-7153795388661993472-Rgef
[2] https://siliconangle.com/2024/01/18/google-disrupts-malware-campaign-run-russia-linked-hacking-group/
[3] https://thehackernews.com/2024/01/russian-coldriver-hackers-expand-beyond.html
[4] https://www.darkreading.com/ics-ot-security/russia-coldriver-apt-unleashes-custom-spica-malware
[5] https://www.linkedin.com/posts/wdevaultmfa-spamming-and-fatigue-when-security-measures-activity-7153733605561659394-WN10
