ColdRiver, a Russian spy group, known for stealing credentials, now uses poisoned PDFs in phishing attacks. Google warns of new tactics. (Getty Images)
In a recent report, Google's Threat Analysis Group (TAG) has issued a warning about a Russian-based espionage group, commonly known as ColdRiver, UNC4057, Star Blizzard, or Callisto, infamous for pilfering login credentials from government and military officials. The group has expanded its tactics by incorporating poisoned PDF attachments in phishing messages, leading unsuspecting victims to unwittingly download malware.
ColdRiver typically targets high-profile individuals within non-governmental organizations, such as think tanks, universities, former intelligence and military officers, NATO governments, and Ukraine. To carry out their schemes, the group creates deceptive online personas, posing as experts or individuals associated with the target. This impersonation tactic aims to establish a connection with the target, thereby increasing the success rate of their phishing campaigns.
According to TAG, ColdRiver has been observed sending benign PDF documents to targets since November 2022. These documents are presented as new op-eds or articles seeking feedback from the target. When opened, the benign PDF appears encrypted. If the target expresses difficulty reading the document, ColdRiver responds with a link to a supposed 'decryption' utility hosted on a cloud storage site. Unbeknownst to the victim, this utility is, in fact, a backdoor named SPICA, granting ColdRiver unauthorized access to the victim's machine.
While SPICA was first detected in September, Google believes it was utilized nearly a year prior, marking the first custom malware attributed to ColdRiver. This backdoor, developed in Rust, utilizes JSON over websockets for command and control, allowing it to steal browser cookies, upload and download files, and list the contents of file systems. The backdoor ensures persistence through an obfuscated PowerShell command, creating a scheduled task named CalendarChecker.
The report also provides the latest indicators of compromise to aid organizations in identifying potential threats. Notably, ColdRiver made headlines recently for allegedly targeting three U.S. nuclear research laboratories—Brookhaven (BNL), Argonne (ANL), and Lawrence Livermore National Laboratories (LLNL) in 2023. Reports suggest that the hackers employed fake login pages and emails to nuclear scientists, attempting to extract their passwords.
Microsoft, among other cybersecurity firms, has been actively working to disrupt ColdRiver, referring to them as Star Blizzard. In a December report, Microsoft highlighted the group's efforts to enhance its detection evasion capabilities, emphasizing the ongoing battle between cybersecurity entities and sophisticated threat actors like ColdRiver.
