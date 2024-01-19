Russian state-sponsored actor Coldriver, known for using spearphishing attacks on high-profile government accounts in Western countries for cyberespionage, has evolved tacts to include custom malware in its campaigns, according to a Google Threat Analysis Group (TAG) report.\n\nAlso tracked as UNC4057, Star Blizzard, Blue Charlie, and Callisto, the Russian-backed advanced persistent threat (APT) has been found using a custom backdoor \u201cSPICA\u201d on victim systems to steal information, execute arbitrary commands, and establish persistence.\n\n\u201cRecently, TAG has observed Coldriver continue its evolution by going beyond phishing for credentials, to delivering malware via campaigns using PDFs as lure documents,\u201d said TAG in the report. \u201cTAG has disrupted the following campaign by adding all known domains and hashes to Safe Browsing blocklists.\u201d\n\nColdriver is popularly known for its credential phishing activities against high-profile individuals in NGOs, former intelligence and military officers, and NATO governments, focused mainly on the US and UK.\n\nPDF lure used for malware delivery\n\nIn its latest campaign, Coldriver has been observed using impersonation accounts to deliver an encrypted PDF file to the target systems, acting as a lure to initiate infection.\n\n\u201cAs far back as November 2022, TAG has observed Coldriver sending targets benign PDF documents from impersonation accounts,\u201d TAG said. \u201cColdriver presents these documents as a new op-ed or other type of article that the impersonation account is looking to publish, asking for feedback from the target.\u201d\n\nWhen the user tries opening the PDF, the content appears to be encrypted text. If the target reaches out for decryption, he is presented with a link, usually hosted on a cloud storage site, to a \u201cdecryption\u201d utility.\u00a0The utility, along with displaying a decoy \u201cdecrypted\u201d document, is the SPICA backdoor in stealth.\n\nWhile Coldriver has used a malware before, SPICA is the first custom malware attributed to it. \u201cIn 2015 and 2016, TAG observed Coldriver using the Scout implant that was leaked during the Hacking Team incident of July 2015.\u201d\n\nSPICA is a multifaceted backdoor\n\nTAG\u2019s analysis of SPICA binary revealed that it\u2019s written in RUST, a low-level programming language used for building operating systems, kernels, and device drivers. The binary uses JavaScript Object Notation (JSON), a text-based data interchange format, over websockets for command and control (C2).\n\n\u201cOnce executed, SPICA decodes an embedded PDF, writes it to disk, and opens it as a decoy for the user,\u201d TAG added. \u201cIn the background, it establishes persistence and starts the main C2 loop, waiting for commands to execute.\u201d\n\nSPICA supports a number of commands for varied attacks which include, arbitrary shell commands, uploads and downloads, stealing cookies from Chrome, Firefox, Opera, and Edge, and enumerate documents and exfiltrating them in an archive. There is also a \u201cTelegram\u201d command TAG noticed but couldn\u2019t further analyze its specific functionality.\n\nSPICA establishes persistence by creating a scheduled task named CalendarChecker, using an obfuscated PowerShell command. For user awareness, TAG has shared indicators of compromise (IOCs) which included hashes of observed pdf documents, some SPICA instances, and observed C2 domain.