Russia-linked threat actors called cold river It has been observed that its trading technology continues to evolve beyond credential collection to deliver the first-ever custom malware written in the Rust programming language.
Google’s Threat Analysis Group (TAG) shared details of the latest campaign, saying the attack chain utilizes PDFs as decoy files to trigger infection sequences. Bait is sent from a demo account.
COLDRIVER, also known as Blue Callisto, BlueCharlie (or TAG-53), Calisto (also spelled Callisto), Gossamer Bear, Star Blizzard (formerly SEABORGIUM), TA446, and UNC4057, is known to have been active since 2019, The target is industry wide.
This includes academia, defence, government organizations, NGOs, think tanks, political groups, and most recently defense industry targets and energy facilities.
The U.S. government revealed last month that “targets in the United Kingdom and the United States appear to be most affected by StarBlizzard activity, but activity has also been observed at targets in other NATO countries and Russia’s neighboring countries.”
The group’s spear phishing campaigns are designed to engage and build trust with potential victims, with the ultimate goal of sharing a fake login page to harvest their credentials and gain access to their accounts.
Microsoft noted in its analysis of the COLDRIVER strategy that it uses server-side scripts to prevent automated scanning of attacker-controlled infrastructure and identify targets of interest, which are then redirected to phishing landing pages.
The latest findings from Google TAG show that threat actors have been using benign PDF files as a starting point as early as November 2022 to trick targets into opening the files.
“COLDRIVER presents these files as new columns or other types of articles that the impersonating account wishes to publish, asking the target for feedback,” the tech giant said. “When the user opens the benign PDF, the text appears encrypted.”
If the recipient replies that they cannot read the document, the threat actor replies with a link to a so-called decryption tool (“Proton-decrypter.exe”) hosted on a cloud storage service.
The choice of the name “Proton-decrypter.exe” is noteworthy because Microsoft has previously revealed that adversaries mainly use Proton Drive to send PDF bait through phishing messages.
In fact, the decryptor is a backdoor called SPICA, which grants COLDRIVER secret access to the computer while displaying decoy files to maintain the ruse.
Previous findings from WithSecure (formerly F-Secure) revealed that threat actors used a lightweight backdoor called Scout, a malware tool from the HackingTeam Remote Control System (RCS) Galileo hacking platform, as a Part of a phishing campaign observed in early 2016.
The Finnish cybersecurity company noted at the time that Scout was “intended to be used as an initial reconnaissance tool, collecting basic system information and screenshots from infected computers and allowing the installation of additional malware.”
SPICA is the first custom malware developed and used by COLDRIVER. It uses WebSockets-based JSON for command and control (C2), making it easy to execute arbitrary shell commands, steal cookies from web browsers, upload and download files, and enumerate and Steal documents. Persistence is achieved through scheduled tasks.
“Once executed, SPICA decodes the embedded PDF, writes it to disk, and then opens it as a user bait,” Google TAG said. “In the background, it establishes persistence and starts the main C2 loop, waiting for commands to be executed.”
There is evidence of the use of implants by nation-state actors dating back to November 2022, with cybersecurity agencies using multiple variations of the “encrypted” PDF decoy, suggesting there may be different versions of SPICA to match the decoy Send the file to the target.
Google TAG said that as part of its efforts to disrupt the campaign and prevent further exploitation, it has added all known websites, domains and files associated with the hacking team to the Safe Browsing block list.
A month ago, the UK and US governments imposed sanctions on two Russian members of COLDRIVER, Ruslan Aleksandrovich Peretyatko and Andrey Stanislavovich Korinets, for their involvement in spear phishing campaigns.
French cybersecurity firm Sekoia has since disclosed links between Korinet and known infrastructure used by the group, including dozens of phishing domains and multiple servers.
“Callisto has contributed to Russian intelligence efforts in support of Moscow’s strategic interests,” the company said. “It appears that domain registration is one of them. [Korinets’] Key skills that Russian intelligence services may use directly or through contractor relationships. “
