Google TAG: Kremlin cyber spies move into malware with a custom backdoor

Russian cyberspies linked to the Kremlin's Federal Security Service (FSB) are moving beyond their usual credential phishing antics and have developed a custom backdoor that they started delivering via email as far back as November 2022, according to Google's Threat Analysis Group.

TAG tracks this crew as COLDRIVER, while other threat hunters call the government-backed gang Star Blizzard, UNC4057 and Callisto. The gang has been active since at least 2019, and historically targets academia, the military, governmental orgs, NGOs, think tanks, and politicians in US, the UK and other NATO countries. 

Since Russia invaded its neighbor in February 2022, COLDRIVER has also stepped up its snooping activities against Ukraine's military and defense targets as well as those of other Eastern European nations.

It turns out they're moving into malware with a backdoor called SPICA. It's written in Rust and uses JSON over websockets for command and control (C2), we're told. 

Once executed on a victim's device, it has several capabilities including executing shell commands, stealing cookies from Chrome, Firefox, Opera and Edge; uploading and downloading files; and snooping through and stealing documents.

"TAG has observed SPICA being used as early as September 2023, but believe that COLDRIVER's use of the backdoor goes back to at least November 2022," the Chocolate Factory's threat hunting team said in an analysis published today. 

SPICA is the first custom malware that TAG attributes to the Kremlin-backed group. 

In addition to publishing details about the backdoor and how the campaign works, the Chocolate Factory also posted an extensive list of indicators of compromise including hashes, the SPICA sample name, and C2 address.

These expeditions tend to be highly targeted, focusing on "high-profile individuals in NGOs, former intelligence and military officials, defense, and NATO governments," Google TAG's Billy Leonard told The Register.

"TAG has only observed SPICA used in a very small number of campaigns, targeting a small number of organizations and individuals," Leonard said.

To deliver the malware, COLRIVER relies on its older, tried-and-true tactics.

• Five Eyes nations warn Moscow's mates at the Star Blizzard gang have new phishing targets
• Sandworm's Kyivstar attack should serve as a reminder of the Kremlin crew's 'global reach'
• Ivanti zero-day exploits explode as bevy of attackers get in on the act
• Secret multimillion-dollar cryptojacker snared by Ukrainian police

The criminals research their targets on social media, creating fake profiles and messaging their marks to build rapport. 

They also use web-based email accounts that impersonate someone the target knows or a well-known industry figure, and go after high-profile individuals' personal email accounts, which are usually less protected than the same individuals' official government inboxes. 

Just last month the Five Eyes' government agencies and Microsoft issued separate reports about COLDRIVER's increasingly sophisticated evasion techniques and phishing tactics.

"As far back as November 2022, TAG has observed COLDRIVER sending targets benign PDF documents from impersonation accounts," the Chocolate Factory said in today's account of the gang's evolving espionage efforts.

The crew impersonates email addresses to trick victims into believing these documents are op-eds, or some other article for publication. The victim, we're told, can't open the benign PDF, which appears to be encrypted. 

It's not, but this usually prompts a return email from the victim saying they can't open the doc. Then the phony email account responds with a link to a "decryption" utility that is actually the SPICA backdoor. 

While the threat hunters were only able to snag one instance of the malware to analyze, they believe there are multiple versions of SPICA, each using a different decoy PDF. ®