A Russian-based espionage group known for stealing login credentials of government and military officials is also trying to trick victims into downloading malware.
Google’s Threat Analysis Group (TAG) says the attackers, known to researchers as ColdRiver, UNC4057, Star Blizzard or Callisto, has added to its arsenal by adding poisoned PDF attachments in phishing messages that lead to the installation of a backdoor.
It’s a warning to ColdRiver’s usual targets, which include high profile individuals in non-governmental organizations like think tanks, universities, former intelligence and military officers, NATO governments, and Ukraine.
ColdRiver often creates an online persona pretending to be an expert in a particular field or somehow affiliated with the target, Google says. The impersonation account is then used to establish a rapport with the target, increasing the likelihood of the phishing campaign’s success. Eventually the gang sends a phishing link or document containing a link.
“As far back as November 2022, TAG has observed ColdRiver sending targets benign PDF documents from impersonation accounts,” TAG said in a report today. “ColdRiver presents these documents as a new op-ed or other type of article that the impersonation account is looking to publish, asking for feedback from the target. When the user opens the benign PDF, the text appears encrypted. If the target responds that they cannot read the encrypted document, the ColdRiver impersonation account responds with a link, usually hosted on a cloud storage site, to a ‘decryption’ utility for the target to use. This decryption utility, while also displaying a decoy document, is in fact a backdoor, tracked as SPICA, giving ColdRiver access to the victim’s machine.”
SPICA was detected as early as last September, but Google believes it was used almost a year before that. It’s the first custom malware that Google attributes as having been developed and used by ColdRiver.
Written in Rust, this backdoor uses JSON over websockets for command and control. It steals cookies from browsers, allows the uploading and downloading of files, and lists contents of file systems.
The backdoor establishes persistence via an obfuscated PowerShell command which creates a scheduled task named CalendarChecker.
Google’s report includes the latest indicators of compromise.
Last week, the Reuters news agency reported that ColdRiver targeted three nuclear research laboratories in the United States in 2023: the Brookhaven (BNL), Argonne (ANL) and Lawrence Livermore National Laboratories (LLNL), according to internet records. They showed the hackers creating fake login pages for each institution and emailing nuclear scientists in a bid to make them reveal their passwords, Reuters said.
Microsoft has been among the cybersecurity companies trying to disrupt this attacker, which it calls Star Blizzard. In December it reported that the group was trying to improve its detection evasion capabilities.