FSB hackers launch spear phishing campaign to infect targets with Spica malware

Google Threat Analysis Group released a report detailing the new campaign of COLDRIVER threat group

FSB-related threat group COLDRIVER launches Spica malware

The hacking group known as COLDRIVER, also referred to as Callisto Group, UNC4057, and Star Blizzard, has been identified by Google's Threat Analysis Group (TAG) as evolving its espionage strategies.^[1]

Historically known for spear-phishing campaigns targeting NATO countries, particularly the United States and the United Kingdom, COLDRIVER is believed to have close ties to the Russian state.^[2] This connection is further supported by the indictment of two Russian nationals linked to the group by U.S. prosecutors in December.^[3]

Recently, TAG has observed an increase in COLDRIVER's activities, with a shift towards more disruptive tactics, particularly targeting Ukraine and its NATO allies, academic institutions, and non-government organizations. This escalation follows Microsoft researchers' findings that the group had enhanced its ability to evade detection.^[4]

The significant aspect of this evolution is COLDRIVER's transition from traditional phishing methods to deploying malware through campaigns using PDF documents as lures.

SPICA Backdoor and its functions

The new malware campaign by Cold River involves a custom backdoor named SPICA, marking a notable development in the group's operational methods. SPICA, written in Rust and employing JSON over websockets for command and control, was first used as early as September 2023 but is believed to have been in operation since at least November 2022.

The malware's capabilities are extensive, including executing shell commands, stealing cookies from various web browsers, and uploading, downloading, and exfiltrating documents. It is delivered through seemingly benign PDF documents sent from impersonated email accounts.

An additional alarming feature of SPICA is its document exfiltration capability. Once installed on a device, it can snoop through and steal documents, posing a significant threat to intellectual property and sensitive information. The malware establishes persistence on the infected devices using an obfuscated PowerShell command, which creates a “CalendarChecker” scheduled task. This persistence mechanism ensures the malware remains active and undetected over long periods, even if the device is rebooted.

When targets are unable to open these PDFs, which appear encrypted, they are provided a link to a so-called decryption utility, which is, in fact, the SPICA backdoor. Despite being targeted and limited in its use, the sophistication and custom nature of SPICA indicate a significant advancement in the group's cyber-espionage capabilities.

New developments attracted international attention

The operational methodology of COLDRIVER involves sophisticated social engineering tactics. The group researches targets on social media, creating fake profiles to build rapport, and uses web-based email accounts to impersonate known figures or contacts of the target.

This approach is complemented by targeting personal email accounts of high-profile individuals, which are typically less secure than official government inboxes. The recent campaigns have focused on high-profile individuals in NGOs, former intelligence and military officials, defense sectors, and NATO governments.

In response to these threats, Google has taken proactive measures by adding all identified websites, domains, and files related to these attacks to its Safe Browsing service. This action aims to block further targeting of Google users and mitigate the impact of these campaigns:^[1]

TAG also sends all targeted Gmail and Workspace users government-backed attacker alerts notifying them of the activity and encourages potential targets to enable Enhanced Safe Browsing for Chrome and ensure that all devices are updated.

Additionally, these malicious activities have attracted the attention of international law enforcement and intelligence communities, with the U.S. State Department offering substantial rewards for information leading to the identification or location of threat actors.