Who are ColdRiver Hackers?
The group of hackers known as Russian ColdRiver, also referred to as COLDRIVER, has been active since 2019 and is believed to be linked to Russian intelligence services, specifically the FSB. Over their existence, they have evolved their focus beyond simple credential collection. Here are some details about them:
- Activities and Objectives:
- Spear-phishing: COLDRIVER employs spear-phishing campaigns to compromise accounts. They send benign PDF documents as bait, posing as opinion articles or content seeking publication. When the user opens the PDF, the text appears encrypted.
- Custom Malware: Recently, COLDRIVER has developed its first custom malware written in the Rust programming language. They use these PDFs as a starting point to deceive victims and execute a decryption tool that, in reality, installs a backdoor named SPICA. This grants covert access to the victim’s system while displaying a fake document to maintain the facade.
- Targets and Affected Sectors:
- COLDRIVER has directed its attacks at a wide range of sectors, including academia, defense, governmental organizations, NGOs, think tanks, political parties, and more recently, defense-industrial targets and energy facilities.
- The activities of Star Blizzard (an alternative name) have primarily impacted targets in the United Kingdom and the United States, although they have also attacked other NATO countries and neighboring Russia.
In summary, COLDRIVER is an evolving hacker group focused on phishing and the distribution of custom malware. Their use of encrypted PDFs as bait is an intriguing and concerning tactic.
How ColdRiver delivers Malware?
COLDRIVER has expanded its tactics beyond credential phishing activities. They now deliver malware using encrypted PDFs as lure documents. Here’s how they do it:
- Impersonation Accounts and Lure Documents:
- COLDRIVER uses impersonation accounts to establish trust with their targets. These accounts pretend to be experts in specific fields or affiliated with the target.
- They send benign PDF documents from these impersonation accounts, presenting them as new op-eds or articles seeking feedback.
- When the target opens the benign PDF, the text appears encrypted.
- Malware Delivery:
- If the target responds that they cannot read the encrypted document, COLDRIVER provides a link (usually hosted on a cloud storage site) to a “decryption” utility.
- This utility, while displaying a decoy document, is actually a backdoor tracked as SPICA.
- SPICA gives COLDRIVER access to the victim’s machine, allowing them to execute arbitrary shell commands, upload/download files, steal cookies from browsers, and more.
COLDRIVER’s use of encrypted lure-based malware delivery via PDFs demonstrates their evolving tactics and techniques for cyberespionage.
Understanding the new malware approach with SPICA
COLDRIVER’s latest campaign involves the use of malware-laden links.
They have been using benign PDF documents since around November 2022 to entice targets.
Here’s how the phishing process works:
- Establish rapport with the target using a fake email account.
- Send a PDF in an email, posing as an op-ed document or article for feedback.
- When the user opens the PDF, the text appears encrypted.
- If the target responds that they cannot read the encrypted document, COLDRIVER sends a link to a “decryption utility.”
- This utility, named SPICA, is actually a backdoor malware.
- SPICA covertly establishes a connection to the hackers’ command and control server (C2) while displaying a decoy document to maintain the ruse.
Technical Details about SPICA
SPICA is a sophisticated backdoor that allows COLDRIVER to gain covert access to compromised machines, all while using seemingly innocuous PDFs as a starting point for their attacks. More details about SPICA:
- Written in Rust: SPICA is a custom malware tool written in the Rust programming language.
- Communication: It uses JSON over websockets for commanding and controlling affected devices.
- Capabilities:
- Executes arbitrary shell commands.
- Steals cookies from Chrome, Firefox, Opera, and Edge.
- Uploads and downloads files.
- Peruses the filesystem by listing its contents.
Protection measures against SPICA
Keep Software Updated: Ensure all your devices are up to date with the latest security patches.
Enhanced Safe Browsing: Enable the Enhanced Safe Browsing tool for the Chrome browser.
Be Cautious with PDFs: Be wary of opening PDFs from unknown or suspicious sources.
Security Solutions: Consider using antivirus and anti-malware solutions that can detect and block threats like SPICA.