In the ever-evolving landscape of cybersecurity threats, the Russia-linked threat actor COLDRIVER has recently caught the attention of experts for its shift towards sophisticated tactics. Traditionally known for credential harvesting through spear-phishing campaigns, COLDRIVER has taken a significant leap forward by introducing its first-ever custom malware, developed in the Rust programming language. This marks a concerning advancement in their capabilities, emphasizing the need for heightened awareness and cybersecurity measures.
Google’s Threat Analysis Group (TAG) has been closely monitoring these developments, shedding light on the latest activities of COLDRIVER. The attack chains employed by the group now utilize PDFs as decoy documents to initiate the infection sequence. These malicious PDFs are strategically sent from impersonation accounts, adding a layer of deception to their tactics.
COLDRIVER, recognized by various aliases such as Blue Callisto, BlueCharlie, Calisto, and more, has been active since 2019, targeting a wide array of sectors. Its victims span academia, defense, governmental organizations, NGOs, think tanks, political outfits, and, more recently, defense-industrial targets and energy facilities.
The geographical impact of COLDRIVER’s activities has been significant, with the U.K. and U.S. experiencing the highest number of affected targets. However, the group’s operations have also extended to other NATO countries and those neighboring Russia, as disclosed by the U.S. government.
Spear-phishing campaigns orchestrated by COLDRIVER are meticulously designed to establish trust with potential victims. The ultimate goal is to lure them into interacting with bogus sign-in pages, leading to the compromise of their credentials and unauthorized access to their accounts. Microsoft’s analysis of COLDRIVER’s tactics highlights the use of server-side scripts to thwart automated scanning of their infrastructure, redirecting targets to phishing landing pages.
The most recent findings from Google TAG reveal a shift in COLDRIVER’s modus operandi. Since November 2022, the threat actor has been employing benign PDF documents as a starting point to entice targets. These PDFs are presented as new op-eds or articles, with impersonation accounts seeking feedback from the target. When the recipient opens the benign PDF, they encounter encrypted text.
If the target expresses difficulty in reading the document, COLDRIVER responds with a link to a supposed decryption tool (“Proton-decrypter.exe”) hosted on a cloud storage service. Notably, Microsoft had previously identified the use of Proton Drive by the adversary to send PDF lures through phishing messages. However, the decryption tool is a ruse – it’s a backdoor named SPICA, providing COLDRIVER with covert access to the compromised machine.
SPICA, identified as the first custom malware developed by COLDRIVER, employs JSON over WebSockets for command-and-control (C2). This enables the execution of arbitrary shell commands, theft of cookies from web browsers, file uploads and downloads, and enumeration and exfiltration of files. The malware ensures persistence through a scheduled task.
Evidence suggests that COLDRIVER has been using SPICA since November 2022, with multiple variants of the “encrypted” PDF lure indicating potential customization for specific targets. Google TAG, in its efforts to disrupt the campaign, has added all known associated websites, domains, and files to Safe Browsing blocklists.
While the exact number of successful compromises with SPICA remains unknown, Google suspects it was employed in “very limited, targeted attacks.” The focus has been on high-profile individuals in NGOs, former intelligence and military officials, defense, and NATO governments.
This development comes on the heels of the U.K. and U.S. governments sanctioning two Russian members of COLDRIVER. Ruslan Aleksandrovich Peretyatko and Andrey Stanislavovich Korinets were identified for their involvement in spear-phishing operations. French cybersecurity firm Sekoia has also unveiled links between Korinets and the infrastructure used by COLDRIVER, emphasizing the actor’s role in supporting Moscow’s strategic interests.
In conclusion, the evolution of COLDRIVER’s tactics highlights the constant need for vigilance in the face of cybersecurity threats. As they continue to adapt and refine their methods, it becomes imperative for organizations and individuals alike to stay informed and bolster their defenses against these sophisticated adversaries.
Interesting Article : Unveiling the AndroxGh0st Botnet: A Menace to Cloud Security