Russian Hacker Group Coldriver Launches New Malware Campaign

ColdRiver, a Russian hacker group notorious for its spear phishing tactics to acquire target credentials, has recently launched a fresh malware campaign, as revealed by research from Google’s Threat Analysis Group (TAG).

Commonly identified as UNC4057, Star Blizzard, and Callisto, ColdRiver initially emerged on the radar of security experts back in 2016 but has significantly intensified its activities since the Russian invasion of Ukraine in March 2022. There are suspicions of a connection between the group and Russia’s infamous government intelligence agency, the FSB.

ColdRiver has primarily focused on espionage-driven assaults, primarily targeting high-profile individuals within NGOs, former intelligence and military personnel, and NATO governments, according to TAG. Their credential phishing endeavors involve a patient approach, where they gain the trust of their victims by assuming false identities, posing as experts in specific fields or affiliates of the intended targets.

Once trust is established, ColdRiver proceeds to send phishing links or documents containing deceptive links, coaxing victims into divulging their credentials. In a disturbing revelation, Reuters reported that in the summer of 2022, ColdRiver targeted three U.S. nuclear research laboratories by dispatching fake login pages to nuclear scientists via email.

ColdRiver’s latest campaign revolves around the use of malware-laden links that, when clicked, install a backdoor on the victim’s system. TAG has noted the group’s use of seemingly harmless PDF files to entice targets since approximately November 2022.

The modus operandi employed by ColdRiver in their phishing attacks can be summarized as follows:

  • Build rapport with the target through a fake email account impersonating a plausible colleague.
  • Dispatch an email containing a PDF, asking the target to review an op-ed document or article supposedly authored by the impersonated individual.
  • When the user opens the PDF, the text appears encrypted.
  • If the target responds stating they cannot decipher the encrypted document, ColdRiver sends a fake link, purportedly leading to a “decryption utility” which is, in reality, the backdoor malware known as SPICA.

Upon execution, SPICA deciphers the embedded PDF, saves it to the disk, and opens it as a decoy for the user. Simultaneously, it clandestinely establishes a connection with the hackers’ command and control server (C2), as outlined in the research findings.

TAG has detected four distinct variants of the initial “encrypted” PDF lure but has successfully retrieved only a single instance of SPICA, likely active around August and September 2023. Researchers suspect that there are multiple versions of the SPICA backdoor, each accompanied by a distinct embedded decoy document, tailored to match the lure document dispatched to specific targets.

To thwart this identified campaign, TAG has taken proactive measures by adding all known domains and hashes to Safe Browsing blocklists.