{"id":2382,"date":"2024-01-18T23:00:00","date_gmt":"2024-01-18T23:00:00","guid":{"rendered":"https:\/\/www.darkreading.com\/ics-ot-security\/russia-coldriver-apt-unleashes-custom-spica-malware"},"modified":"2024-01-18T23:00:00","modified_gmt":"2024-01-18T23:00:00","slug":"google-russias-coldriver-apt-unleashes-custom-spica-malware","status":"publish","type":"post","link":"https:\/\/ddi.mohflo.net\/index.php\/2024\/01\/18\/google-russias-coldriver-apt-unleashes-custom-spica-malware\/","title":{"rendered":"Google: Russia’s ColdRiver APT Unleashes Custom ‘Spica’ Malware"},"content":{"rendered":"
<\/a><\/div>\n
<\/div>\n

The Russia-backed advanced persistent threat (APT) known as ColdRiver has taken a dive into the icy waters of custom malware, rolling out a proprietary backdoor called “Spica.” The use of malware represents a significant evolution in the group’s tactics, techniques, and procedures (TTPs), and one that potential targets need to take note of, researchers say \u2014 especially as election season looms.<\/span><\/p>\n

ColdRiver (aka Blue Charlie, Callisto, Star Blizzard, or UNC4057) typically targets NGOs, former intelligence and military officers, and NATO governments to carry out cyber espionage \u2014 and indeed, it last made headlines in December when Microsoft caught it lifting data from <\/span>British government higher-ups<\/a><\/span>.<\/span><\/p>\n

But as far as researchers knew, its modus operandi has always involved infiltrating accounts that house sensitive information <\/span>via long-con credential phishing<\/a><\/span>: i.e., impersonating a trusted source or expert, building rapport, and eventually down the line, sending a phishing link or document containing a link.<\/span><\/p>\n

It turns out, ColdRiver actually has an extended set of capabilities, according to research from Google’s Threat Analysis Group (TAG).<\/span><\/p>\n

“Recently, TAG has observed ColdRiver \u2026 delivering malware via campaigns using PDFs as lure documents,” Google TAG researchers explained in a <\/span>report on ColdRiver released today<\/a><\/span>. “In 2015 and 2016, TAG observed ColdRiver using the Scout implant that was leaked during the Hacking Team incident of July 2015. [But] Spica represents the first custom malware that we attribute being developed and used by ColdRiver.”<\/span><\/p>\n

The researchers tell Dark Reading that they don’t have visibility into the specific profiles or number of victims who have been successfully compromised with Spica, beyond noting the campaigns target Ukraine, NATO countries, academic institutions, and NGOs. However, “we believe that Spica was only used in very limited, targeted attacks,” aligning with ColdRiver’s known TTPs.<\/span><\/p>\n

Spica: A Spicy Little Backdoor Malware<\/span><\/h2>\n

As far as what the Spica attacks look like in practice, the Russian baddie delivers the malware using its trusty impersonation tactic, Google TAG researchers said, after building up a relationship with the target.<\/span><\/p>\n

“ColdRiver presents [PDF] documents as a new op-ed or other type of article that the impersonation account is looking to publish, asking for feedback from the target. When the user opens the benign PDF, the text appears encrypted,” according to the report.<\/span><\/p>\n

When targets inevitably respond that they can’t read the encrypted document, ColdRiver sends a link, cleverly purporting to lead to a “decryption” utility \u2014 which is, of course, actually the Spica malware.<\/span><\/p>\n

Once executed, Spica opens a supposedly “decoded” PDF as a decoy, while quietly establishing persistence and hooking up with its command-and-control server (C2).<\/span><\/p>\n

Google TAG researchers broke down the binary, discovering that it’s <\/span>written in Rust<\/a><\/span>, and uses JSON over websockets for C2. In terms of capabilities, it’s a bit of a Swiss Army knife, with commands that include:<\/span><\/p>\n

\n