Russian threat group spreading backdoor through phishing, says Google

A Russian-based espionage group known for stealing login credentials of government and military officials is also trying to trick victims into downloading malware.

Google’s Threat Analysis Group (TAG) says the attackers, known to researchers as ColdRiver, UNC4057, Star Blizzard or Callisto, has added to its arsenal by adding poisoned PDF attachments in phishing messages that lead to the installation of a backdoor.

It’s a warning to ColdRiver’s usual targets, which include high profile individuals in non-governmental organizations like think tanks, universities, former intelligence and military officers, NATO governments, and Ukraine.

ColdRiver often creates an online persona pretending to be an expert in a particular field or somehow affiliated with the target, Google says. The impersonation account is then used to establish a rapport with the target, increasing the likelihood of the phishing campaign’s success. Eventually the gang sends a phishing link or document containing a link.

“As far back as November 2022, TAG has observed ColdRiver sending targets benign PDF documents from impersonation accounts,” TAG said in a report today. “ColdRiver presents these documents as a new op-ed or other type of article that the impersonation account is looking to publish, asking for feedback from the target. When the user opens the benign PDF, the text appears encrypted. If the target responds that they cannot read the encrypted document, the ColdRiver impersonation account responds with a link, usually hosted on a cloud storage site, to a ‘decryption’ utility for the target to use. This decryption utility, while also displaying a decoy document, is in fact a backdoor, tracked as SPICA, giving ColdRiver access to the victim’s machine.”

SPICA was detected as early as last September, but Google believes it was used almost a year before that. It’s the first custom malware that Google attributes as having been developed and used by ColdRiver.

Written in Rust, this backdoor uses JSON over websockets for command and control. It steals cookies from browsers, allows the uploading and downloading of files, and lists contents of file systems.

The backdoor establishes persistence via an obfuscated PowerShell command which creates a scheduled task named CalendarChecker.

Google’s report includes the latest indicators of compromise.

Last week, the Reuters news agency reported that ColdRiver targeted three nuclear research laboratories in the United States in 2023: the Brookhaven (BNL), Argonne (ANL) and Lawrence Livermore National Laboratories (LLNL), according to internet records. They showed the hackers creating fake login pages for each institution and emailing nuclear scientists in a bid to make them reveal their passwords, Reuters said.

Microsoft has been among the cybersecurity companies trying to disrupt this attacker, which it calls Star Blizzard. In December it reported that the group was trying to improve its detection evasion capabilities.

Would you recommend this article?

Share

Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.


Jim Love, Chief Content Officer, IT World Canada

Featured Download

Howard Solomon
Howard Solomon
Currently a freelance writer. Former editor of ITWorldCanada.com and Computing Canada. An IT journalist since 1997, Howard has written for several of ITWC's sister publications, including ITBusiness.ca. Before arriving at ITWC he served as a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times.

Featured Story

How the CTO can Maintain Cloud Momentum Across the Enterprise

Embracing cloud is easy for some individuals. But embedding widespread cloud adoption at the enterprise level is...

Related Tech News

Get ITBusiness Delivered

Our experienced team of journalists brings you engaging content targeted to IT professionals and line-of-business executives delivered directly to your inbox.

Featured Tech Jobs