Researchers at Google’s Threat Analysis Group (TAG) have published their findings about a group they have dubbed Coldriver. The main targets of the Coldriver group are high-profile individuals in non-governmental organizations (NGOs), former intelligence and military officials, and NATO governments. These targets are approached in spear phishing attacks.
The group uses social engineering techniques to persuade their targets to open documents or download malware. Their activities are aligned with those of the Russian government, so it’s pretty safe to say that Coldriver is a state-sponsored group.
In December 2023, the US charged two Russians believed to be members of this group, for their role in a campaign that hacked government accounts.
Microsoft, who tracks the group as Star Blizzard, says the group targets individuals and organizations involved in international affairs, defense, and logistics support to Ukraine, as well as academia, information security companies, and other entities aligning with Russian state interests.
Typically, the group creates an impersonation account that pretends to be an expert in a field the target might be interested in or that is somehow affiliated with the target. Once a relationship has been established, the target will receive a phishing link or a document containing such a link.
To gain trust, Coldriver uses social media and professional marketing systems to build a profile of its target. With that information the group sets up email contacts, social media and other networking accounts that align with the target’s interests and appear legitimate.
Coldriver uses webmail addresses from different providers, including Outlook, Gmail, Yahoo and Proton Mail in the initial approach, impersonating known contacts of the target or well-known names in the target’s field of interest or sector. The group is also known to register malicious domains that mimic legitimate organizations.
Recently, TAG has noticed that the group uses “lure documents” to install a backdoor on the target’s system. These lure documents, which are harmless PDF files, are sent to the target, but when they open them the content appears to be encrypted.
When the target queries about the encryption, Coldriver sends the target a link to a decryption utility, typically hosted on a cloud storage site. This so-called decryption utility shows the target a normal PDF file, so that it appears as if the original was decrypted, but at the same time it installs a backdoor.
This backdoor is custom malware, likely developed by or for Coldriver, called Spica. Spica is written in the Rust programming language and supports, among others, these commands:
- Execute arbitrary shell commands
- Steal cookies from Chrome, Firefox, Opera, and Edge
- Upload and download files
- Analyze the filesystem by listing the content
- Enumerate documents and copy them to an archive
The backdoor establishes persistence through an obfuscated PowerShell command that creates a scheduled task named CalendarChecker.
TAG suspects but has been unable to verify that there are multiple variants of Spica: one to match each lure document sent to targets.
YARA rule
YARA is a tool that can identify files that meet certain conditions. It is mainly in use by security researchers to classify malware.
TAG has created a YARA rule that cab help find the Spica backdoor.
rule SPICA__Strings {
meta:
author = “Google TAG”
description = “Rust backdoor using websockets for c2 and embedded decoy PDF”
hash = “37c52481711631a5c73a6341bd8bea302ad57f02199db7624b580058547fb5a9”
strings:
$s1 = “os_win.c:%d: (%lu) %s(%s) – %s”
$s2 = “winWrite1”
$s3 = “winWrite2”
$s4 = “DNS resolution panicked”
$s5 = “struct Dox”
$s6 = “struct Telegram”
$s8 = “struct Download”
$s9 = “spica”
$s10 = “Failed to open the subkey after setting the value.”
$s11 = “Card Holder: Bull Gayts”
$s12 = “Card Number: 7/ 3310 0195 4865”
$s13 = “CVV: 592”
$s14 = “Card Expired: 03/28”
$a0 = “agent\\src\\archive.rs”
$a1 = “agent\\src\\main.rs”
$a2 = “agent\\src\\utils.rs”
$a3 = “agent\\src\\command\\dox.rs”
$a4 = “agent\\src\\command\\shell.rs”
$a5 = “agent\\src\\command\\telegram.rs”
$a6 = “agent\\src\\command\\mod.rs”
$a7 = “agent\\src\\command\\mod.rs”
$a8 = “agent\\src\\command\\cookie\\mod.rs”
$a9 = “agent\\src\\command\\cookie\\browser\\mod.rs”
$a10 = “agent\\src\\command\\cookie\\browser\\browser_name.rs”
condition:
7 of ($s*) or 5 of ($a*)
}
Our business solutions remove all remnants of ransomware and prevent you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.
