Russian COLDRIVER hackers go beyond phishing with custom malware

Russian COLDRIVER hackers go beyond phishing with custom malware

The Russia-linked threat actor known as COLD RIVER It has been observed to have developed its craft to go beyond credential harvesting and deliver the first-ever custom malware written in the Rust programming language.

Google’s Threat Analysis Group (TAG), which shared data of the latest activity, said the attack chains use PDFs as decoy documents to trigger the infection sequence. The lures are shipped from impersonator accounts.

COLDRIVER, also known as Blue Callisto, BlueCharlie (or TAG-53), Calisto (alternately spelled Callisto), Gossamer Bear, Star Blizzard (formerly SEABORGIUM), TA446 and UNC4057, has been active since 2019 and focuses on a broad range of sectors.

This includes academia, defense, government organizations, NGOs, think tanks, political organizations and, most recently, defense industrial targets and energy facilities.

“Targets in Britain and the US appear to have been most affected by Star Blizzard’s activities, but activity has also been observed against targets in other NATO countries and countries neighboring Russia,” the US government announced last month.

Spear-phishing campaigns initiated by the group are designed to instill trust and build trust among the potential victims, with the ultimate goal of sharing fake login pages to obtain their credentials and gain access to the accounts.

Microsoft, in an analysis of COLDRIVER tactics, cited the use of server-side scripts to prevent automatic scanning of actor-controlled infrastructure and identify targets of interest before redirecting them to phishing landing pages.

Google TAG’s latest findings reveal that as early as November 2022, the threat actor has been using benign PDF documents as a starting point to trick targets into opening the files.

“COLDRIVER presents these documents as a new op-ed or other type of article that the impersonation account wants to publish, asking for feedback from the target,” the tech giant said. “When the user opens the benign PDF, the text appears encrypted.”

In case the recipient responds to the message stating that he cannot read the document, the threat actor responds with a link to a so-called decryption tool (“Proton-decrypter.exe”) hosted on a cloud storage service.

1705597223 463 Russian COLDRIVER hackers go beyond phishing with custom malware

The choice of the name “Proton-decrypter.exe” is notable because Microsoft had previously revealed that the adversary mainly uses Proton Drive to send the PDF lures via the phishing messages.

In reality, the decryptor is a backdoor called SPICA that grants COLDRIVER secret access to the machine while simultaneously displaying a decoy document to maintain the ruse.

Previous findings from WithSecure (formerly F-Secure) have shown that the threat actor used a lightweight backdoor called Scout, a malware tool from the HackingTeam Remote Control System (RCS) Galileo hacking platform, as part of phishing campaigns observed in early 2016 .

Scout is “intended to be used as an initial reconnaissance tool to collect basic system information and screenshots from a compromised computer, and to enable the installation of additional malware,” the Finnish cybersecurity company said. noted at the time.

SPICA, the first custom malware developed and deployed by COLDRIVER, uses JSON via WebSockets for command-and-control (C2), allowing execution of arbitrary shell commands, stealing cookies from web browsers, uploading and downloading files, and enumerating and exfiltrating files. Persistence is achieved through a planned task.

“Once executed, SPICA decrypts an embedded PDF, writes it to disk, and opens it as a lure to the user,” according to Google TAG. “In the background, it provides persistence and starts the main C2 loop, waiting for commands to execute.”

Evidence points to nation-state use of the implant dating back to November 2022, with the cybersecurity department aware of multiple variants of the ‘encrypted’ PDF decoy, indicating that there could be several versions of SPICA that match the decoy document. sent to goals.

As part of its efforts to disrupt the campaign and prevent further exploitation, Google TAG said it has added all known websites, domains and files associated with the hackers to Safe Browsing Blocklists.

The development comes more than a month after the British and US governments sanctioned two Russian members of COLDRIVER, Ruslan Aleksandrovich Peretyatko and Andrey Stanislavovich Korinets, for their involvement in conducting spear-phishing operations.

French cybersecurity firm Sekoia has since published links between Korinets and the known infrastructure used by the group, which includes dozens of phishing domains and multiple servers.

“Calisto contributes to the efforts of Russian intelligence services to support Moscow’s strategic interests,” the company said said. “It looks like domain registration was one of them [Korinets’] key skills, which are plausibly used by Russian intelligence, either directly or through a contractual relationship.”

#Russian #COLDRIVER #hackers #phishing #custom #malware

Notify of
Inline Feedbacks
View all comments
Previous Post
Ivanti EPMM Vulnerability

US Cybersecurity Agency warns of actively exploited Ivanti EPMM vulnerability

Next Post
MFA Spamming

When security measures go wrong

Related Posts