New Delhi, January 19: Google researchers have observed that the notorious Russian threat group -- COLDRIVER, focused on credential phishing activities, has now gone beyond it by delivering "malware via campaigns using PDFs as lure documents". COLDRIVER, also known as 'UNC4057', 'Star Blizzard' and 'Callisto' has focused on credential phishing against Ukraine, NATO countries, academic institutions and NGOs.
In order to gain the trust of targets, the group often utilises impersonation accounts, pretending to be an expert in a particular field or somehow affiliated with the target. According to new research by Google’s Threat Analysis Group (TAG), COLDRIVER has increased its activity in recent months and is now using new tactics that can cause more disruption to its victims. Cyberattacks 2024: Vans Footwear Maker ‘VF Corp’ Admits Hackers Stole Personal Data of 35.5 Million Customers.
"As far back as November 2022, TAG has observed COLDRIVER sending targets benign PDF documents from impersonation accounts," Google said in a blogpost on Thursday. The threat group presents these documents as a new op-ed or other type of article that the impersonation account is looking to publish, asking for feedback from the target. When the user opens the benign PDF, the text appears encrypted, the researchers explained.
If the target responds that they cannot read the encrypted document, the COLDRIVER impersonation account responds with a link, usually hosted on a cloud storage site, to a “decryption” utility for the target to use. "This decryption utility, while also displaying a decoy document, is in fact a backdoor, tracked as SPICA, giving COLDRIVER access to the victim’s machine," the researchers said. Samsung Galaxy S24 Series: 'It Is Important To Honour Users’ Privacy With AI Phones', Says JB Park, President and CEO of Samsung India.
In 2015 and 2016, TAG observed COLDRIVER using the Scout implant that was leaked during the Hacking Team incident of July 2015. SPICA represents the first custom malware that the TAG researchers attribute to being developed and used by COLDRIVER. The researchers have observed SPICA being used as early as September 2023, but believe that COLDRIVER’s use of the backdoor goes back to at least November 2022.
(The above story first appeared on LatestLY on Jan 19, 2024 02:21 PM IST. For more news and updates on politics, world, sports, entertainment and lifestyle, log on to our website latestly.com).