Google TAG warns that Russian COLDRIVER APT is using a custom backdoor

Pierluigi Paganini January 18, 2024

Google warns that the Russia-linked threat actor COLDRIVER expands its targeting and is developing a custom malware.

The ColdRiver APT (aka “Seaborgium“, “Callisto”, “Star Blizzard”, “TA446”) is a Russian cyberespionage group that has been targeting government officials, military personnel, journalists and think tanks since at least 2015.

In the past, the group’s activity involved persistent phishing and credential theft campaigns leading to intrusions and data theft. The APT primarily targets NATO countries, but experts also observed campaigns targeting the Baltics, Nordics, and Eastern Europe regions, including Ukraine.

Google TAG researchers warn that COLDRIVER is evolving tactics, techniques and procedures (TTPs), to improve its detection evasion capabilities.

Recently, TAG has observed COLDRIVER delivering custom malware via phishing campaigns using PDFs as lure documents. Google experts uncovered and disrupted these attacks by adding all known domains and hashes to Safe Browsing blocklists.

In November 2022, TAG spotted COLDRIVER sending targets benign PDF documents from impersonation accounts. The lure documents are new op-ed or other types of articles that the impersonation account is looking to publish, and threat actors were asking for feedback from the recipient. When the victims opens the PDF, an encrypted text is displayed.

If the target contacts the threat actors because it cannot read the content, the cyberspies send it a link where is hosted a decryption tool. Upon downloading and executing the tool, a decoy document is displayed while a backdoor, tracked as SPICA, is installed.

“Once executed, SPICA decodes an embedded PDF, writes it to disk, and opens it as a decoy for the user. In the background, it establishes persistence and starts the main C2 loop, waiting for commands to execute.” reads TAG’s analysis.

Spica is a Rust backdoor that uses JSON over websockets for C2. Spica supports multiple capabilities, such as:

  • Executing arbitrary shell commands
  • Stealing cookies from Chrome, Firefox, Opera and Edge
  • Uploading and downloading files
  • Perusing the filesystem by listing the contents of it
  • Enumerating documents and exfiltrating them in an archive
  • There is also a command called “telegram,” but the functionality of this command is unclear

The malware maintains persistence via an obfuscated PowerShell command that creates a scheduled task named CalendarChecker.

The researchers observed the use of SPICA since early September 2023, but believe that the Russian APT is employing it since at least November 2022.

“While TAG has observed four different variants of the initial “encrypted” PDF lure, we have only been able to successfully retrieve a single instance of SPICA. This sample, ​​named “Proton-decrypter.exe”, used the C2 address 45.133.216[.]15:3000, and was likely active around August and September 2023.” concludes the report.

“We believe there may be multiple versions of the SPICA backdoor, each with a different embedded decoy document to match the lure document sent to targets.”

In December, the UK National Cyber Security Centre (NCSC) and Microsoft reported that the Russia-linked APT group Callisto Group is targeting organizations worldwide. The nation-state actor is carrying out spear-phishing attacks for cyberespionage purposes.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Google TAG)

you might also like

leave a comment