A well-established and prolific threat group that has focused on phishing and hack-and-leak operations in the last few years has begun to move up the food chain recently, employing a new backdoor known as SPICA in attacks on members of NATO government agencies, NGOs, and other sensitive organizations.
Researchers with Google’s Threat Analysis Group (TAG) have observed the group it refers to as COLDRIVER using the Spica malware in operations targeting high-profile individuals since at least September. COLDRIVER--also known as Callisto and BlueCharlie--is a group that has been active for about seven years and is known to operate in the interests of the Russian government. Security researchers have followed the group’s activities closely for many years, and last year several research groups exposed some of COLDRIVER’s infrastructure and campaigns. COLDRIVER responded quickly, shifting tactics and techniques and spinning up new domains and infrastructure.
Now, the group has evolved again, moving from mainly credential-theft operations to the deployment of malware to maintain persistence on target machines and gather information over a longer period of time. The current campaign involves the use of phishing lures in the form of emails from an account impersonating someone known to the victim. The messages include a harmless PDF purporting to be an op-ed submission or other written piece that the sender is requesting feedback on. The PDF includes some random text that is meant to make it look as if the document is encrypted, prompting the victim to reply to the sender that the text is unreadable.
“If the target responds that they cannot read the encrypted document, the COLDRIVER impersonation account responds with a link, usually hosted on a cloud storage site, to a “decryption” utility for the target to use. This decryption utility, while also displaying a decoy document, is in fact a backdoor, tracked as SPICA, giving COLDRIVER access to the victim’s machine,” Wesley Shields of TAG said in an analysis of the campaign.
“TAG has observed SPICA being used as early as September 2023, but believe that COLDRIVER’s use of the backdoor goes back to at least November 2022."
SPICA has a number of functions, including stealing cookies from major browsers such as Chrome and Firefox, downloading and uploading files, and running arbitrary shell commands. The backdoor also opens an embedded PDF and saves it to disk and then displays it to the victim as a benign decoy. SPICA connects to a remote C2 server and also established persistence on the machine by creating a scheduled task.
“TAG has observed SPICA being used as early as September 2023, but believe that COLDRIVER’s use of the backdoor goes back to at least November 2022. While TAG has observed four different variants of the initial “encrypted” PDF lure, we have only been able to successfully retrieve a single instance of SPICA,” Shields said.
“We believe there may be multiple versions of the SPICA backdoor, each with a different embedded decoy document to match the lure document sent to targets.”
The shift in tactics by COLDRIVER is similar to what Microsoft researchers observed with Mint Sandstorm, an Iranian threat actor, recently. That group also has historically relied on phishing campaigns to facilitate credential theft and espionage, but recently began deploying a custom backdoor called MediaPI. Both groups' evolution shows that teams that find success with one tactic won't necessarily hesitate to adopt new tools and techniques when it suits their purpose.