January 18, 2024 at 11:03AM
Google’s Threat Analysis Group (TAG) has uncovered a Russian-backed hacking group, ColdRiver, spreading previously unknown backdoor malware through fake PDF decryption tools. The malware, named Spica, allows attackers to establish control over compromised devices and steal sensitive information. Google has taken action to protect users and has linked ColdRiver to Russian security services.
From the meeting notes provided, the key takeaways are:
– The ColdRiver Russian-backed hacking group is deploying previously unknown backdoor malware, masquerading as a PDF decryption tool, through phishing emails.
– The attackers impersonate individuals affiliated with their targets and send encrypted PDF documents via phishing emails.
– When recipients cannot read the ‘encrypted’ documents, they are sent a link to download what appears to be a PDF decryptor executable (Proton-decrypter.exe).
– The fake decryption software backdoors the victims’ devices using a malware strain called Spica, which is a Rust-based malware using JSON over websockets to communicate with its command-and-control (C2) server.
– The Spica malware has various capabilities, including running arbitrary shell commands, stealing cookies from web browsers, uploading and downloading files, and exfiltrating documents.
– Google’s Threat Analysis Group (TAG) has observed the use of Spica and the backdoor tactics by COLDRIVER since at least November 2022.
– Multiple variants of the initial “encrypted” PDF lure have been observed, but only one instance of Spica has been successfully retrieved.
– Google has taken steps to mitigate the attacks, including adding all domains, websites, and files used in these attacks to its Safe Browsing phishing protection service and notifying targeted users.
– ColdRiver has been active since late 2015 and is known for its open-source intelligence (OSINT) and social engineering skills in spear-phishing attacks.
– The United Kingdom and Five Eyes allies linked ColdRiver to Russia’s ‘Centre 18’ Federal Security Service (FSB) division in December.
– The U.S. State Department has been offering rewards for information leading to the location or identification of ColdRiver threat actors since December 2023.