Russian state-sponsored actor Coldriver, known for using spearphishing attacks on high-profile government accounts in Western countries for cyberespionage, has evolved tacts to include custom malware in its campaigns, according to a Google Threat Analysis Group (TAG) report.
Also tracked as UNC4057, Star Blizzard, Blue Charlie, and Callisto, the Russian-backed advanced persistent threat (APT) has been found using a custom backdoor âSPICAâ on victim systems to steal information, execute arbitrary commands, and establish persistence.
âRecently, TAG has observed Coldriver continue its evolution by going beyond phishing for credentials, to delivering malware via campaigns using PDFs as lure documents,â said TAG in the report. âTAG has disrupted the following campaign by adding all known domains and hashes to Safe Browsing blocklists.â
Coldriver is popularly known for its credential phishing activities against high-profile individuals in NGOs, former intelligence and military officers, and NATO governments, focused mainly on the US and UK.
PDF lure used for malware delivery
In its latest campaign, Coldriver has been observed using impersonation accounts to deliver an encrypted PDF file to the target systems, acting as a lure to initiate infection.
âAs far back as November 2022, TAG has observed Coldriver sending targets benign PDF documents from impersonation accounts,â TAG said. âColdriver presents these documents as a new op-ed or other type of article that the impersonation account is looking to publish, asking for feedback from the target.â
When the user tries opening the PDF, the content appears to be encrypted text. If the target reaches out for decryption, he is presented with a link, usually hosted on a cloud storage site, to a âdecryptionâ utility. The utility, along with displaying a decoy âdecryptedâ document, is the SPICA backdoor in stealth.
While Coldriver has used a malware before, SPICA is the first custom malware attributed to it. âIn 2015 and 2016, TAG observed Coldriver using the Scout implant that was leaked during the Hacking Team incident of July 2015.â
SPICA is a multifaceted backdoor
TAGâs analysis of SPICA binary revealed that itâs written in RUST, a low-level programming language used for building operating systems, kernels, and device drivers. The binary uses JavaScript Object Notation (JSON), a text-based data interchange format, over websockets for command and control (C2).
âOnce executed, SPICA decodes an embedded PDF, writes it to disk, and opens it as a decoy for the user,â TAG added. âIn the background, it establishes persistence and starts the main C2 loop, waiting for commands to execute.â
SPICA supports a number of commands for varied attacks which include, arbitrary shell commands, uploads and downloads, stealing cookies from Chrome, Firefox, Opera, and Edge, and enumerate documents and exfiltrating them in an archive. There is also a âTelegramâ command TAG noticed but couldnât further analyze its specific functionality.
SPICA establishes persistence by creating a scheduled task named CalendarChecker, using an obfuscated PowerShell command. For user awareness, TAG has shared indicators of compromise (IOCs) which included hashes of observed pdf documents, some SPICA instances, and observed C2 domain.