Russian Threat Group ColdRiver Launches New Malware Compaign ‘SPICA’

Laiba MohsinLast Updated: Jan 19, 2024
Malware

The Russian threat group ColdRiver known for targeting high-ranking Western officials has recently launched a new malware campaign. ColdRiver backed by the Kremlin has added malware to its arsenal of hacking tools. In a recent development, Google’s Threat Analysis Group’s (TAG) research revealed that ColdRiver has been incorporating custom malware into its latest attacks. Typically, it is known for its use of spear phishing attacks to gain access to a target’s credentials, but now it has malware-laden links which when opened, will install a backdoor on the target’s system.

ColdRiver Launches SPICA: A New Malware Campaign

ColdRiver is also referred to as UNC4057, Star Blizzard, and Callisto. In 2016, security researchers detected it. It has been stepping up its attacks since the Russian invasion of Ukraine in March of 2022. The group is considered to be connected to Russia’s shady government intelligence arm known as the FSB. According to TAG:

“ColdRiver has been steadfast in espionage-driven attacks against “high profile individuals in NGOs (non-governmental organizations), former intelligence and military officers, and NATO governments. In its credential phishing attacks, the group took its time to gain the trust of its targets, often by impersonating accounts, pretending to be an expert in a particular field or affiliate of the targe

Tag revealed that once a connection is established with the target, ColdRiver sends the target a phishing link or document containing a fake link created to trick the target into passing over its credentials. Moreover, according to the new research, the group has been using “benign” PDFs to tempt its planned target since about November 2022. The whole phishing process used by ColdRiver goes quite smoothly like this:

 

  • Establish rapport with the target through a bogus email account mimicking a likely coworker
  • Send a PDF in an email asking the target to review an op-ed document or article written by the fake person
  • When the user opens PDF, the text emerges encrypted
  • If the target writes back that they can not read the encrypted document, ColdRiver sends a mock link directing them to a “decryption utility” aka the backdoor malware dubbed SPICA.

After all this process, SPICA decodes the embedded PDF, writes it to disk, and opens it as a bait for the user. Meanwhile, a connection is established in the background, and the command and control server (C2) is run by the hackers. According to the researchers, there are multiple versions of the SPICA backdoor. All of them have a different embedded decoy document to match the bait document sent to targets.

Laiba MohsinLast Updated: Jan 19, 2024
Photo of Laiba Mohsin

Laiba Mohsin

Laiba is an Electrical Engineer seeking a placement to gain hands-on experience in relevant areas of telecommunications. She likes to write about tech and gadgets. She loves shopping, traveling and exploring things.

Leave a Reply

Your email address will not be published. Required fields are marked *

Back to top button
>