Russian threat group ColdRiver launches new malware campaign, say researchers

The Russian threat group ColdRiver – backed by the Kremlin and known for targeting high-ranking Western officials – has added malware to its arsenal of hacking tools.

New research from Google’s Threat Analysis Group (TAG) released Thursday found the group, typically known for its use of spear phishing attacks to gain access to a target's credentials, has been incorporating custom malware into its latest attacks.

ColdRiver, also referred to as UNC4057, Star Blizzard, and Callisto, was first observed by security researchers in 2016 but has been stepping up its attacks since the Russian invasion of Ukraine in March of 2022.

The group is thought to be connected to Russia’s notorious government intelligence arm known as the FSB.

ColdRiver has been steadfast in espionage-driven attacks against “high profile individuals in NGOs (non-governmental organizations), former intelligence and military officers, and NATO governments,” according to TAG.

In its credential phishing attacks, the group took its time to gain the trust of its targets, often by impersonating accounts, pretending to be an expert in a particular field or affiliate of the target, TAG said.

Tag says once rapport is established with the target, ColdRiver will send the target a phishing link or document containing a fake link designed to trick the target into handing over its credentials.

Last January, a Reuters report revealed in the summer of 2022, ColdRiver had targeted three US nuclear research laboratories by emailing several nuclear scientists with fake login pages to their corresponding facilities.

New SPICA malware campaign identified

ColdRiver’s new campaign involves the use of malware-laden links which when opened, will install a backdoor on the target’s system.

TAG said the group has been using “benign” PDF’s to lure its intended target since about November 2022.

The entire phishing process used by ColdRiver goes something like this:

  • Establish rapport with the target through a fake email account impersonating a likely colleague
  • Send PDF in an email asking target to review an op-ed document or article written by the fake person
  • When the user opens PDF, the text appears encrypted
  • If target writes back that they can not read the encrypted document, ColdRiver sends a fake link directing them to a “decryption utility” aka the backdoor malware dubbed SPICA.
Sample of ColdRiver lure PDF
Sample of a seemingly encrypted PDF sent to lure targets into eventually downloading ColdWater's own SPICA backdoor malware. Image by Google's Threat Analysis Group (TAG).

Once executed, SPICA “decodes the embedded PDF, writes it to disk, and opens it as a decoy for the user,” all while in the background, establishing a connection to the command and control server (C2) run by the hackers, the research said.

TAG said they have observed four different variants of the initial “encrypted” PDF lure but have “only been able to successfully retrieve a single instance of SPICA… likely active around August and September 2023.”

The researchers also believe there are “multiple versions of the SPICA backdoor, each with a different embedded decoy document to match the lure document sent to targets.”

TAG said they were able to disrupt the identified campaign “by adding all known domains and hashes to Safe Browsing blocklists.”

More from Cybernews:

Tesla bot’s rival Figure partners with BMW

Mallorca’s Calvià City struggles to recover after €10M ransom attack

Drupal advisory warns users to update or risk DoS attack

OpenAI’s Sam Altman in Davos: we will just have better tools

Google demonstrates AI that would crush most humans in geometry

Subscribe to our newsletter

Leave a Reply

Your email address will not be published. Required fields are markedmarked