New Delhi: Google researchers have observed that the notorious Russian threat group — COLDRIVER, focused on credential phishing activities, has now gone beyond it by delivering “malware via campaigns using PDFs as lure documents”.
COLDRIVER, also known as ‘UNC4057’, ‘Star Blizzard’ and ‘Callisto’ has focused on credential phishing against Ukraine, NATO countries, academic institutions and NGOs.
In order to gain the trust of targets, the group often utilises impersonation accounts, pretending to be an expert in a particular field or somehow affiliated with the target.
According to new research by Google’s Threat Analysis Group (TAG), COLDRIVER has increased its activity in recent months and is now using new tactics that can cause more disruption to its victims.
“As far back as November 2022, TAG has observed COLDRIVER sending targets benign PDF documents from impersonation accounts,” Google said in a blogpost Thursday.
The threat group presents these documents as a new op-ed or other type of article that the impersonation account is looking to publish, asking for feedback from the target. When the user opens the benign PDF, the text appears encrypted, the researchers explained.
If the target responds that they cannot read the encrypted document, the COLDRIVER impersonation account responds with a link, usually hosted on a cloud storage site, to a “decryption” utility for the target to use.
“This decryption utility, while also displaying a decoy document, is in fact a backdoor, tracked as SPICA, giving COLDRIVER access to the victim’s machine,” the researchers said.
In 2015 and 2016, TAG observed COLDRIVER using the Scout implant that was leaked during the Hacking Team incident of July 2015.
SPICA represents the first custom malware that the TAG researchers attribute to being developed and used by COLDRIVER.
The researchers have observed SPICA being used as early as September 2023, but believe that COLDRIVER’s use of the backdoor goes back to at least November 2022.
IANS