Google LLC’s TAG research team, which tracks state-backed hacking groups, has disrupted a malware campaign launched by a Russian threat actor. 

The search giant detailed the operation in a blog post today. The hacking group behind the disrupted malware campaign is tracked as Coldriver by researchers. It focuses on carrying out phishing attacks against individuals who work at government agencies, nongovernmental agencies and other organizations.

The malware campaign that Google blocked employed a different tactic, the search giant’s researchers determined. Coldriver didn’t simply target its intended victims with phishing emails as it has done in the past, but rather sent them a malware-laden file. Google detailed that the file used in the campaign is the first known example of custom malware developed by the hacking group.

According to the company, the campaign employed a variation of a breach tactic that the hacking group employed multiple times in the past.

First, the hackers created “impersonation accounts pretending to be an expert in a particular field or somehow affiliated with the target,” Google researcher Wesley Shields detailed in today’s blog post. Coldriver used the accounts to build rapport with the intended victim. After gaining targets’ trust, the hacking group tricked them into clicking a link containing a malicious file. 

Coldriver lured victims into clicking the link by sending them a PDF article from an impersonation account that had earlier gained their trust. The targeted individuals were asked to review the article, but when they attempted to open the PDF file, they were greeted with an encrypted text snippet. If they asked for an unencrypted copy, Coldriver’s impersonation account responded with a link to a cloud-hosted “decryption utility” dubbed SPICA that was in fact a backdoor. 

Google’s researchers determined that the backdoor is written in the Rust programming language. After infecting a user’s computer, SPICA runs a PowerShell script that in turn activates a scheduled task, or a program configured to run at a specific time. This latter program can steal several types of data from the victim’s machine including documents and browser cookies.

“Once executed, SPICA decodes an embedded PDF, writes it to disk, and opens it as a decoy for the user,” Shields detailed. “In the background, it establishes persistence and starts the main C2 loop, waiting for commands to execute.”

The malware interacts with remote command and control servers operated by Coldriver using the WebSockets networking protocol. According to Google, it sends data over the protocol in the widely-used JSON file format. Google believes that Coldriver began using the malware in November 2022 or earlier and has created multiple versions of the file.

To disrupt the hacking campaign, the search giant added the domains through which Coldriver coordinated malware attacks to Google Safe Browsing. This is a public database of malicious domains that helps organizations block cyberattacks. Google has also published several indicators of compromise, data points that administrators can use to determine whether a system may have been targeted by Coldriver malware.

Photo: Unsplash