The Russia-linked threat actor known as COLDRIVER has been seen evolving his tradecraft to go beyond credential harvesting to distribute his first custom malware written in the Rust programming language.
Google’s Threat Analysis Group (TAG), which shared details of the latest activity, said the attack chain uses PDFs as fake documents to trigger the infection sequence. The lures are sent from impersonating accounts.
COLDRIVER, also known by the names Blue Callisto, BlueCharlie (or TAG-53), Calisto (alternately spelled Callisto), Gossamer Bear, Star Blizzard (formerly SEABORGIUM), TA446, and UNC4057, is known to be active since 2019, targeting a wide range of sectors.
This includes education, defense, government organizations, NGOs, think tanks, political organizations, and, more recently, defense-industrial targets and energy facilities.
“Targets in the U.K. and the U.S. have been most affected by Star Blizzard activity, although activity has also been observed against targets in other NATO countries and Russia’s neighbors,” the U.S. government revealed last month.
Spear-phishing campaigns mounted by the group are designed to engage and build trust with the prospective victims with the ultimate goal of sharing bogus sign-in pages in order to harvest their credentials and gain access to the accounts.
Microsoft, in its analysis of COLDRIVER’s tactics, called for the use of server-side scripts to prevent automated scanning of actor-controlled infrastructure and determine targets of interest, before redirecting to phishing landing pages.
The latest findings from Google TAG reveal that threat actors have been using benign PDF documents as a starting point to entice targets to open files since November 2022.
“COLDRIVER presents these documents in the form of a new op-ed or other type of article that the impersonation account wishes to publish, soliciting a response from the target,” the tech giant said. “When the user opens the benign PDF, the text appears encrypted.”
In the event the recipient responds to the message stating they cannot read the document, the threat actor responds with a link to a purported decryption tool (“Proton-decrypter.exe”) hosted on a cloud storage service.
The choice of the name “Proton-decrypter.exe” is notable because Microsoft previously revealed that the adversary primarily uses Proton Drive to send PDF lures through phishing messages.
In fact, the decryptor is a backdoor named SPICA that gives COLDRIVER covert access to the machine, as well as displaying a decoy document to maintain the ruse.
Prior findings from WithSecure (formerly F-Secure) have revealed the threat actor’s use of a lightweight backdoor called Scout, a malware tool from the HackingTeam Remote Control System (RCS) Galileo hacking platform, as part of phishing campaigns observed in early 2016.
Scout is “intended to be used as an initial reconnaissance tool to gather basic system information and screenshots from a compromised computer, as well as enable the installation of additional malware,” the Finnish cybersecurity company noted at the time.
SPICA, which is the first custom malware developed and used by COLDRIVER, uses JSON over WebSockets for command-and-control (C2), facilitating the execution of arbitrary shell commands, theft of cookies from web browsers, uploading and downloading files, and enumerating and exfiltrating files. Persistence is achieved by means of a scheduled task.
“Once executed, SPICA decodes an embedded PDF, writes it to disk, and opens it as a decoy for the user,” Google TAG said. “In the background, it sets up persistence and starts the main C2 loop, waiting for commands to execute.”
There is evidence to suggest that the nation-state actor’s use of the implant goes back to November 2022, with the cybersecurity arm multiple variants of the “encrypted” PDF lure, indicating that there could be different versions of SPICA to match the lure document sent to targets.
As part of its efforts to disrupt the campaign and prevent further exploitation, Google TAG said it has added all known websites, domains and files associated with Hacking Crew to the Safe Browsing blocklist.
The development comes a month after the UK and US governments sanctioned two Russian members of COLDRIVER, Ruslan Aleksandrovich Peretyatko and Andrey Stanislavovich Korinets, for their involvement in conducting spear-phishing operations.
French cybersecurity firm Sekoia has since publicized the link between Korinets and known infrastructure used by the group, including dozens of phishing domains and multiple servers.
“Calisto contributes to Russian intelligence efforts to support Moscow’s strategic interests,” the company said. “It seems that domain registration was one of [Korinets’] main skills, used by Russian intelligence either directly or through a contractor relationship.”
