January 18, 2024 at 11:03AM
COLDRIVER, a Russia-linked threat actor, has evolved its tactics to include creating and using its first custom malware in the Rust programming language. The group leverages PDF decoy documents in spear-phishing campaigns, targeting organizations in various sectors. Google TAG has observed the actor’s use of benign PDFs to deliver a backdoor named SPICA. The U.S. and U.K. governments have disclosed that COLDRIVER has targeted organizations in these countries, along with other NATO members and Russia’s neighboring countries. Google TAG has implemented measures to disrupt COLDRIVER’s operations and shared details of the group’s activities.
Key takeaways from the meeting notes:
– The threat actor known as COLDRIVER has evolved beyond credential harvesting to deliver custom malware written in Rust programming language and has been observed using PDF decoy documents in spear-phishing attacks.
– The group targets a wide range of sectors including academia, defense, governmental organizations, NGOs, think tanks, political outfits, defense-industrial targets, and energy facilities.
– COLDRIVER has been active since 2019 and has been observed targeting the U.K., U.S., as well as other NATO countries, and countries neighboring Russia.
– The group employs spear-phishing campaigns to entice victims into opening benign PDF documents, which contain a backdoor named SPICA that grants them covert access to the machine.
– Google’s Threat Analysis Group has taken steps to disrupt the campaign by adding all known websites, domains, and files associated with COLDRIVER to Safe Browsing blocklists.
– Additionally, two Russian members of COLDRIVER, Ruslan Aleksandrovich Peretyatko and Andrey Stanislavovich Korinets, have been sanctioned by the U.K. and the U.S. governments for their involvement in spear-phishing operations.
For more detailed information and updates, follow our exclusive content on Twitter and LinkedIn.