COLDRIVER Custom Malware: Hackers Evolve Attack Tactics
In recent cybersecurity developments, the COLDRIVER custom malware. A notorious hacking group, COLDRIVER, has taken its attack tactics to a new level, deploying a custom malware named “Proton-decrypter.exe.” This choice of nomenclature is significant, as Microsoft had previously disclosed that the adversary predominantly utilized Proton Drive for sending PDF lures through phishing messages. In this blog post, we’ll explore the COLDRIVER custom malware, delving into the evolving attack tactics and uncovering crucial insights into the cybersecurity landscape.
Proton Drive Deception
Google Threat Analysis Group (TAG) researchers revealed to The Hacker News that the PDF document used in the attack was hosted on Proton Drive. Interestingly, the attackers claim that the tool is meant for decrypting files hosted on this cloud platform. However, the reality is far more sinister. The so-called decryptor is, in fact, a backdoor named SPICA. The high-profile targets in COLDRIVER attacks grant threat actors covert access to the targeted machines while simultaneously displaying a decoy document to mislead and maintain the user.
From Scout to SPICA
Previous findings from WithSecure (formerly F-Secure) shed light on COLDRIVER’s use of a lightweight backdoor called Scout. This malware tool, originating from the HackingTeam Remote Control System (RCS) Galileo hacking platform, was observed in spear-phishing campaigns as early as 2016. Scout serves as an initial reconnaissance tool, collecting basic system information and screenshots and enabling the installation of additional malware.
The latest development, SPICA, represents COLDRIVER’s first custom malware. It leverages JSON over WebSockets for command-and-control (C2), enabling the execution of arbitrary shell commands, theft of cookies from web browsers, file uploads, and downloads, and the enumeration and exfiltration of files. Persistence is maintained through the use of a scheduled task.
SPICA Malware by COLDRIVER
Upon execution, SPICA decodes an embedded PDF, writes it to disk, and opens it as a decoy for the user. Simultaneously, in the background, it establishes persistence and initiates the main C2 loop, awaiting commands for execution. The sophistication of SPICA malware lies in its versatility, allowing the hacker to perform a range of malicious activities on the compromised system.
Extensive Campaign Timeline
Evidence suggests that COLDRIVER’s use of SPICA dates back to November 2022. The cybersecurity arm has identified multiple variants of the “encrypted” PDF lure, indicating the existence of different SPICA versions tailored to match the lure document sent to specific targets. These targeted sectors in COLDRIVER attacks suggest a strategic and evolving approach by the nation-state actor.
Limited, Targeted Attacks
While Google TAG does not have visibility into the exact number of victims successfully compromised with SPICA, they suspect its deployment in “very limited, targeted attacks.” The focus appears to be on high-profile individuals in non-governmental organizations (NGOs), former intelligence and military officials, defense sectors, and NATO governments. This precision in targeting implies a concerted effort by COLDRIVER to pursue strategic objectives.
COLDRIVER Custom Malware – International Response
The revelation comes a month after the U.K. and U.S. governments imposed sanctions on two Russian members of COLDRIVER, Ruslan Aleksandrovich Peretyatko and Andrey Stanislavovich Korinets, for their involvement in spear-phishing operations. French cybersecurity firm Sekoia has further exposed links between Korinets and known infrastructure used by the group, comprising numerous phishing domains and multiple servers.
Unmasking Calisto
Sekoia suggests that Andrey Stanislavovich Korinets, a key COLDRIVER member, has expertise in domain registration – a skill likely utilized by Russian intelligence, either directly or through a contractor relationship. This has led to the identification of the COLDRIVER hacker group evolution and activities supporting Moscow’s strategic interests, with Sekoia revealing that “Calisto,” one of the tools used by COLDRIVER, contributes to Russian intelligence efforts.
Countermeasures
In response to the ongoing threat, Google TAG has taken proactive measures to disrupt the COLDRIVER custom malware campaign. They have added all known websites, domains, and files associated with the hacking group to Safe Browsing blocklists. While the exact impact on the number of compromised victims remains unknown, these efforts aim to prevent further exploitation by COLDRIVER.
Web applications often rely on server-side scripts to process and manage data, enhancing the functionality and interactivity of the user experience. However, it’s essential to implement robust security measures for server-side scripts to safeguard against potential vulnerabilities and ensure a secure online environment for users.
Conclusion
The evolving tactics of COLDRIVER underscore the need for persistent cyber security measures. The deployment of SPICA, a custom backdoor, signifies an escalation in sophistication, allowing for a wide range of malicious activities. As international collaboration intensifies to counter such threats, the cybersecurity community remains vigilant in its efforts to protect high-profile individuals and organizations from the ever-evolving landscape of cyber attacks.
The sources for this piece include articles in The Hacker News and TechCrunch.