Google TAG warns that Russian COLDRIVER APT is using a custom backdoor

Google's Threat Analysis Group (TAG) has reported that the Russia-linked cyberespionage group known as COLDRIVER is expanding its operational tactics. This group, also referred to as “Seaborgium,” “Callisto,” “Star Blizzard,” and “TA446,” has targeted government officials, military personnel, journalists, and think tanks since at least 2015.

Recent activities of COLDRIVER have involved phishing campaigns that deliver custom malware via benign-looking PDFs. These documents often ask for feedback on op-eds or articles. When victims open the PDF, they see encrypted text. If they seek help, they are provided a link to a decryption tool, which is actually a backdoor known as SPICA.

“Once executed, SPICA decodes an embedded PDF, writes it to disk, and opens it as a decoy for the user,” TAG stated. The SPICA backdoor utilizes Rust and allows for various malicious actions, such as executing arbitrary shell commands, stealing cookies from browsers, and enumerating files for exfiltration.

Researchers noted that SPICA has been observed since early September 2023, although they believe it has been in use since November 2022. The malware is maintained via an obfuscated PowerShell command that creates a scheduled task named CalendarChecker.

For further details about Google TAG's findings, refer to the original report from Google’s Threat Analysis Group.

Prolific Russian hacking unit using custom backdoor for the first time

Cold River has previously targeted high-profile entities, including U.S. nuclear facilities. The group is now using its first known custom malware, SPICA, which allows attackers to execute commands, upload and download files, and gather system information.

This malware is currently in limited use and is aimed at a small number of targets. Google TAG noted that Cold River's activities have included spear-phishing campaigns against various military and defense entities, significantly increasing their targeting profile. In December 2023, an indictment from the U.S. Department of Justice charged members of the group with hacking efforts against multiple nations, including NATO countries and Ukraine.

To understand the evolving tactics of Cold River, see the detailed analysis on CyberScoop.

Google: Russian state hackers deploying malware in espionage attacks around Europe

Research indicates that Russian state hackers are intensifying their efforts to deploy malware on devices of targets in NATO countries and Ukraine. The group, tracked as COLDRIVER, has refined their techniques to lure victims into downloading malware through PDF files.

“Since November 2022, they have lured victims into downloading backdoors via benign PDF documents,” noted a Google spokesperson. COLDRIVER often impersonates experts from various fields to build trust with potential victims.

For more insights into COLDRIVER's tactics and ongoing threats, access the full report on The Record.

Russia-linked phishing campaigns ensnare civil society and NGOs

Access Now and the Citizen Lab have identified spear-phishing campaigns targeting Russian and Belarusian civil society organizations and international NGOs. One of these campaigns has been attributed to COLDRIVER, while the other is likely the work of a different entity dubbed “COLDWASTREL.”

These attacks leverage personalized information to deceive victims, often using fake accounts to send emails that appear legitimate. The phishing emails typically contain locked PDFs or links purporting to help unlock the content, leading to credential harvesting.

For a detailed examination of these phishing tactics and protective measures, refer to the technical report published by Access Now and Citizen Lab.

Cybersecurity Marketing Solutions by GrackerAI

Organizations facing threats from groups like COLDRIVER can benefit from advanced cybersecurity marketing strategies. GrackerAI, an AI-powered cybersecurity marketing platform, helps organizations transform security news into strategic content opportunities. By identifying emerging trends and monitoring threats, GrackerAI enables marketing teams to produce technically relevant content that resonates with cybersecurity professionals.

Explore how GrackerAI can elevate your cybersecurity marketing efforts. Visit us at GrackerAI for more information or to contact us directly.