The Coldriver cybercrime collective aims at influential figures to gain access information. Google’s Threat Analysis Group (TAG) has released insights about a faction they’ve christened as Coldriver. This group’s primary quarry includes noteworthy personas in non-governmental organizations (NGOs), ex-intelligence and military authorities, and NATO administrations. These individuals are targeted via spear phishing onslaughts.
This team employs tactics of social manipulation to convince their victims to access files or install harmful software. Their actions closely mirror those of the Russian administration, thus it’s quite justifiable to infer that Coldriver is a group backed by the state.
In the final month of 2023, the United States authorities accused a pair of individuals, thought to be part of this collective, originating from Russia. Their charges were in relation to their participation in a scheme that
Microsoft, which identifies the group under the name Star Blizzard, has reported that this group aims at people and organizations that are engaged in global affairs, defense, and the provision of logistics aid to Ukraine. In addition, it targets academic institutions, cybersecurity firms, and other bodies that coincide with the interests of the Russian state.
Usually, the team sets up a fake account, posing as a specialist in an area that could potentially pique the target’s interest or is in some way linked to the target. After building a rapport, the target would then receive a deceptive link or a document embedded with such a link.
Coldriver employs social media and sophisticated marketing platforms to cultivate a comprehensive profile of its intended audience. Utilizing this data, the group establishes email connections, social media, and other networking accounts that resonate with the audience’s preferences and seem authentic.
Coldriver employs a variety of webmail addresses from providers such as Outlook, Gmail, Yahoo, and Proton Mail for their initial contact. They often pose as familiar contacts of the individual they’re targeting or as recognizable figures in the target’s area of interest or industry. Additionally, it’s not unheard of for the group to create malicious domains that mirror the appearance of legitimate organizations.
Lately, TAG has identified that the group utilizes “bait documents” to set up a hidden passage in the target’s system. These bait documents, innocuous PDF files, are dispatched to the target. However, upon opening them, the content seems to be coded.
If the subject inquires about the encryption, Coldriver responds by sending them a link to what they claim is a decryption tool, generally stored on a cloud-based platform. This alleged decryption tool presents the subject with a standard PDF file, giving the illusion that the original file has been decrypted. However, it concurrently plants a backdoor.
This concealed entry point is a tailored harmful software, presumably created by or specifically for Coldriver, and it goes by the name Spica. Spica is crafted using the Rust coding language and it is compatible with, among other things, the following commands:
The backdoor secures its ongoing operation via a concealed PowerShell command, which sets up a scheduled task known as CalendarChecker.
TAG theorizes but hasn’t been able to confirm that there are several versions of Spica: one corresponding to each bait document dispatched to potential victims.