Russian threat group delivering malware via campaigns using PDFs: Google


New Delhi, Jan 19 (IANS): Google researchers have observed that the notorious Russian threat group -- COLDRIVER, focused on credential phishing activities, has now gone beyond it by delivering "malware via campaigns using PDFs as lure documents".

COLDRIVER, also known as 'UNC4057', 'Star Blizzard' and 'Callisto' has focused on credential phishing against Ukraine, NATO countries, academic institutions and NGOs.

In order to gain the trust of targets, the group often utilises impersonation accounts, pretending to be an expert in a particular field or somehow affiliated with the target.

According to new research by Google’s Threat Analysis Group (TAG), COLDRIVER has increased its activity in recent months and is now using new tactics that can cause more disruption to its victims.

"As far back as November 2022, TAG has observed COLDRIVER sending targets benign PDF documents from impersonation accounts," Google said in a blogpost on Thursday.

The threat group presents these documents as a new op-ed or other type of article that the impersonation account is looking to publish, asking for feedback from the target. When the user opens the benign PDF, the text appears encrypted, the researchers explained.

If the target responds that they cannot read the encrypted document, the COLDRIVER impersonation account responds with a link, usually hosted on a cloud storage site, to a “decryption” utility for the target to use.

"This decryption utility, while also displaying a decoy document, is in fact a backdoor, tracked as SPICA, giving COLDRIVER access to the victim’s machine," the researchers said.

In 2015 and 2016, TAG observed COLDRIVER using the Scout implant that was leaked during the Hacking Team incident of July 2015.

SPICA represents the first custom malware that the TAG researchers attribute to being developed and used by COLDRIVER.

The researchers have observed SPICA being used as early as September 2023, but believe that COLDRIVER’s use of the backdoor goes back to at least November 2022.

 

  

Top Stories


Leave a Comment

Title: Russian threat group delivering malware via campaigns using PDFs: Google



You have 2000 characters left.

Disclaimer:

Please write your correct name and email address. Kindly do not post any personal, abusive, defamatory, infringing, obscene, indecent, discriminatory or unlawful or similar comments. Daijiworld.com will not be responsible for any defamatory message posted under this article.

Please note that sending false messages to insult, defame, intimidate, mislead or deceive people or to intentionally cause public disorder is punishable under law. It is obligatory on Daijiworld to provide the IP address and other details of senders of such comments, to the authority concerned upon request.

Hence, sending offensive comments using daijiworld will be purely at your own risk, and in no way will Daijiworld.com be held responsible.