The Russia-linked threat actor known as COLDRIVER has been observed evolving its tradecraft to go beyond credential harvesting to deliver its first-ever custom malware written in the Rust programming language.
Google’s Threat Analysis Group (TAG), which shared details of the latest activity, said the attack chains leverage PDFs as decoy documents to trigger the infection sequence. The lures are sent from impersonation accounts.
COLDRIVER, also known by the names Blue Callisto, BlueCharlie (or TAG-53), Calisto (alternately spelled Callisto), Dancing Salome, Gossamer Bear, Star Blizzard (formerly SEABORGIUM), TA446, and UNC4057, is known to be active since 2019, targeting a wide range of sectors.
This includes academia, defense, governmental organizations, NGOs, think tanks, political outfits, and, recently, defense-industrial targets and energy facilities.
“Targets in the U.K. and U.S. appear to have been most affected by Star Blizzard activity, however activity has also been observed against targets in other NATO countries, and countries neighboring Russia,” the U.S. government disclosed last month.
Spear-phishing campaigns mounted by the group are designed to engage and build trust with the prospective victims with the ultimate goal of sharing bogus sign-in pages in order to harvest their credentials and gain access to the accounts.
Microsoft, in an analysis of the COLDRIVER’s tactics, called out its use of server-side scripts to prevent automated scanning of the actor-controlled infrastructure and determine targets of interest, before redirecting them to the phishing landing pages.
The latest findings from Google TAG show that the threat actor has been using benign PDF documents as a starting point as far back as November 2022 to entice the targets into opening the files.
“COLDRIVER presents these documents as a new op-ed or other type of article that the impersonation account is looking to publish, asking for feedback from the target,” the tech giant said. “When the user opens the benign PDF, the text appears encrypted.”
In the event the recipient responds to the message stating they cannot read the document, the threat actor responds with a link to a purported decryption tool (“Proton-decrypter.exe”) hosted on a cloud storage service.
The choice of the name “Proton-decrypter.exe” is notable because Microsoft had previously revealed that the adversary predominantly uses Proton Drive to send the PDF lures through the phishing messages.
Google TAG researchers told The Hacker News that the PDF document employed in the attack was hosted on Proton Drive and that the attackers say the tool is used to decrypt the file hosted on the cloud platform.
In reality, the decryptor is a backdoor named SPICA that grants COLDRIVER covert access to the machine, while simultaneously displaying a decoy document to keep up the ruse.
Prior findings from WithSecure (formerly F-Secure) have revealed the threat actor’s use of a lightweight backdoor called Scout, a malware tool from the HackingTeam Remote Control System (RCS) Galileo hacking platform, as part of phishing campaigns observed in early 2016.
Scout is “intended to be used as an initial reconnaissance tool to gather basic system information and screenshots from a compromised computer, as well as enable the installation of additional malware,” the Finnish cybersecurity company noted at the time.
SPICA, which is the first custom malware developed and used by COLDRIVER, uses JSON over WebSockets for command-and-control (C2), facilitating the execution of arbitrary shell commands, theft of cookies from web browsers, uploading and downloading files, and enumerating and exfiltrating files. Persistence is achieved by means of a scheduled task.
“Once executed, SPICA decodes an embedded PDF, writes it to disk, and opens it as a decoy for the user,” Google TAG said. “In the background, it establishes persistence and starts the main C2 loop, waiting for commands to execute.”
There is evidence to suggest that the nation-state actor’s use of the implant goes back to November 2022, with the cybersecurity arm multiple variants of the “encrypted” PDF lure, indicating that there could be different versions of SPICA to to match the lure document sent to targets.
As part of its efforts to disrupt the campaign and prevent further exploitation, Google TAG said it added all known websites, domains, and files associated with the hacking crew to Safe Browsing blocklists.
Google said it does not have visibility into the number of victims who were successfully compromised with SPICA, but suspects it was only used in “very limited, targeted attacks,” adding there has been a focus on “high profile individuals in NGOs, former intelligence and military officials, defense, and NATO governments.”
The development comes over a month after the U.K. and the U.S. governments sanctioned two Russian members of COLDRIVER, Ruslan Aleksandrovich Peretyatko and Andrey Stanislavovich Korinets, for their involvement in conducting the spear-phishing operations.
French cybersecurity firm Sekoia has since publicized links between Korinets and known infrastructure used by the group, which comprises dozens of phishing domains and multiple servers.
“Calisto contributes to Russian intelligence efforts to support Moscow’s strategic interests,” the company said. “It seems that domain registration was one of [Korinets’] main skills, plausibly used by Russian intelligence, either directly or through a contractor relationship.”