Security experts at Google have uncovered a new cyber threat orchestrated by the ColdRiver Russian-backed hacking group.
As per a report, the attackers are employing an innovative approach by distributing seemingly encrypted PDF documents, disguising a sophisticated backdoor malware.
The campaign, initially observed in November 2022, involves phishing emails impersonating individuals associated with the targets.
Phishing Ploy: A Closer Look at the Attack Vector
Based on Bleeping Computer's report, the assailants initiate the attack by sending phishing emails containing PDF documents that appear to be encrypted.
Upon receiving replies indicating the recipients' inability to access the 'encrypted' content, the hackers provide a download link. This link supposedly leads to a PDF decryption tool executable, named Proton-decrypter.exe, promising to reveal the concealed information.
However, instead of genuinely decrypting the PDF, the fake tool functions as a backdoor, injecting a malware strain known as Spica into the victims' devices.
Google's Threat Analysis Group (TAG) detected and analyzed these attacks, uncovering the deceptive tactics employed by the ColdRiver group.
Spica Malware: The Covert Operator
Spica, a Rust-based malware, utilizes JSON over websockets to communicate with its command-and-control (C2) server. Its capabilities include executing arbitrary shell commands, pilfering cookies from browsers like Chrome, Firefox, Opera, and Edge, facilitating file uploads and downloads, and surreptitiously exfiltrating documents.
Once deployed, Spica ensures persistence by employing an obfuscated PowerShell command. This command establishes a 'CalendarChecker' scheduled task on the compromised device, enabling the malware to maintain a foothold.
Long-Running Threat: ColdRiver's Persistent Tactics
According to Google TAG, the deployment of Spica dates back to at least September 2023, with indications of ColdRiver's utilization of the backdoor extending to November 2022.
While TAG observed four distinct variants of the initial "encrypted" PDF lure, they were able to retrieve a single instance of the Spica malware during their investigation.
"COLDRIVER presents these documents as a new op-ed or other type of article that the impersonation account is looking to publish, asking for feedback from the target. When the user opens the benign PDF, the text appears encrypted, Google TAG writes.
Government-Backed Alerts and Countermeasures
In response to the threat, Google has taken proactive measures. All domains, websites, and files linked to these attacks have been incorporated into Google's Safe Browsing phishing protection service. Additionally, Gmail and Workspace users targeted in these government-backed attacks have been duly notified.
Known also as Callisto Group, Seaborgium, and Star Blizzard, ColdRiver has been an active threat since late 2015. With a reputation for leveraging open-source intelligence (OSINT) and adept social engineering, the group has been associated with spear-phishing attacks.
Microsoft's Encounter With ColdRiver Scheme
Back in December, The Hacker News reported that Microsoft was able to slow down ColdRiver's "evasion and credential-stealing tactics."
At that time, the Redmond giant warned the companies to be vigilant when dealing with this group. They continuously improve their detection evasion methods. The company disabled the accounts used for surveillance and email harvesting.
In the same month the US State Department put a $10 million reward for someone who can lead them to the arrest of the threat actors behind ColdRiver operations.