Google says the ColdRiver Russian-backed hacking group is pushing previously unknown backdoor malware using payloads masquerading as a PDF decryption tool.
The attackers send PDF documents that seem to be encrypted via phishing emails impersonating individuals affiliated with their targets (a tactic first observed in November 2022).
When the recipients reply that they can’t read the ‘encrypted’ documents, they’re sent a link to download what looks like a PDF decryptor executable (named Proton-decrypter.exe) to view the contents of the lure documents.
“COLDRIVER presents these documents as a new op-ed or other type of article that the impersonation account is looking to publish, asking for feedback from the target. When the user opens the benign PDF, the text appears encrypted,” Google TAG said.
However, even though this fake decryption software will display a decoy PDF document, it will backdoor the victims’ devices using a malware strain dubbed Spica by security researchers with Google’s Threat Analysis Group (TAG), who spotted the attacks.
The researchers believe that there likely are multiple Spica samples matching the phishing lures, each with a different decoy document, even though they were only able to capture a single sample while investigating this campaign.
The Spica Rust-based malware uses JSON over websockets to communicate with its command-and-control (C2) server, and it helps to run arbitrary shell commands, steal Chrome, Firefox, Opera, and Edge cookies, upload and download files, and exfiltrate documents.
Once deployed, Spica will also establish persistence using an obfuscated PowerShell command that will create a ‘CalendarChecker’ scheduled task on the compromised devices.
“TAG has observed SPICA being used as early as September 2023, but believe that COLDRIVER’s use of the backdoor goes back to at least November 2022,” Google TAG said.
“While TAG has observed four different variants of the initial “encrypted” PDF lure, we have only been able to successfully retrieve a single instance of SPICA.”
Government-backed attack alerts
Google has added all domains, websites, and files used in these attacks to its Safe Browsing phishing protection service and notified all targeted Gmail and Workspace users that they were the target of a government-backed attack.
Also tracked as Callisto Group, Seaborgium, and Star Blizzard, ColdRiver has been active since late 2015, and it is known for its operators’ open-source intelligence (OSINT) and social engineering skills used to research and lure targets in spear-phishing attacks.
In December, the United Kingdom and Five Eyes allies linked ColdRiver to Russia’s ‘Centre 18’ Federal Security Service (FSB) division, the country’s internal security and counterintelligence service.
Previously, Microsoft thwarted ColdRiver attacks targeting several European NATO nations by disabling Microsoft accounts the attackers used for surveillance and harvesting emails.
Since December 2023, the U.S. State Department has been offering rewards of up to $ 10 million reward for information that could lead to the location or identification of ColdRiver threat actors.