Google says a group of Russian state-sponsored hackers are sending encrypted PDFs to trick victims into running a decryption tool that’s actually malware.
On Thursday, the company published a blog post documenting a new phishing tactic from Coldriver, a hacking group that the US and UK suspect works for the Russian government. A year ago, news emerged that Coldriver targeted three US nuclear research laboratories.
Like other hackers, Coldriver will try to hijack a victim’s computer by sending out phishing messages that’ll culminate in delivering malware.
“Coldriver often utilizes impersonation accounts, pretending to be an expert in a particular field or somehow affiliated with the target,” the company added. “The impersonation account is then used to establish a rapport with the target, increasing the likelihood of the phishing campaign’s success, and eventually sends a phishing link or document containing a link.”
To fool a target into installing the malware, Coldriver will send a written article as a PDF, asking for feedback. Although the PDF is safe to open, the text inside will appear to be encrypted.
“If the target responds that they cannot read the encrypted document, the Coldriver impersonation account responds with a link, usually hosted on a cloud storage site, to a ‘decryption’ utility for the target to use,” Google said. “This decryption utility, while also displaying a decoy document, is in fact a backdoor.”
The backdoor, dubbed Spica, appears to be the first custom malware that Coldriver has developed, Google says. Once it installs, the malware can execute commands, steal cookies from the user’s browser, download and upload files, and exfiltrate documents from the computer.
Google says it’s “observed Spica being used as early as September 2023, but believe that Coldriver’s use of the backdoor goes back to at least November 2022.” A total of four encrypted PDF lures were spotted, but Google only managed to retrieve a single sample of Spica, which arrived as a tool called “Proton-decrypter.exe.”
The company adds that Coldriver’s goal has been to steal login credentials from users and groups connected to Ukraine, NATO, academic institutions, and NGOs. To protect users, the company updated Google software to block loading domains tied to Coldriver’s phishing campaign.
Google published the report a month after US cyber authorities warned that Coldriver, also known as Star Blizzard, “continues to successfully use spear-phishing attacks” to hit targets in the UK.
“Since 2019, Star Blizzard has targeted sectors including academia, defense, governmental organizations, NGOs, think tanks and politicians,” the US Cybersecurity and Infrastructure Security Agency said. “During 2022, Star Blizzard activity appeared to expand further, to include defense-industrial targets, as well as US Department of Energy facilities.”