Russia’s FSB-sponsored Cybercriminals Utilize Innovative Spica Malware

Russia’s notorious hacker group, ColdRiver, backed by the Federal Security Service (FSB), has recently unleashed a new wave of cyberattacks. The group has deployed a unique backdoor malware, dubbed “Spica,” that impersonates a PDF decryption tool. This development marks a significant evolution in the hacker group’s tactics, techniques, and procedures (TTPs), which potential targets should take note of, particularly with the upcoming election season.

The ColdRiver Hacker Group

Firstly observed in late 2015, ColdRiver is known for its operators’ open-source intelligence (OSINT) and social engineering skills. These skills are expertly used to research and lure targets in spear-phishing attacks. The group has been associated with various aliases, including Callisto Group, Seaborgium, and Star Blizzard.

ColdRiver primarily targets NGOs, former intelligence and military officers, and NATO governments to carry out cyber espionage. Their usual method of infiltration involves credential phishing, impersonating a trusted source or expert, and building rapport over time. Eventually, a phishing link or document containing a link is sent to the unsuspecting target.

How Spica Works

In what marks a significant evolution in ColdRiver’s TTPs, the group has recently started using a custom malware, named “Spica,” to compromise their targets. Unveiled by the researchers at Google’s Threat Analysis Group (TAG), Spica is the first custom malware attributed to ColdRiver.

Spica operates by masquerading as a PDF decryption utility. The attackers send seemingly encrypted PDF documents via phishing emails, impersonating individuals affiliated with their targets. When the recipients reply that they can’t read the ‘encrypted’ documents, they’re sent a link to download what looks like a PDF decryptor executable. However, this “decryptor” is, in fact, the Spica malware.

After execution, Spica displays a decoy PDF document while simultaneously backdooring the victims’ devices. It establishes persistence and communicates with its command-and-control (C2) server.

Spica, written in Rust and using JSON over websockets for C2, is a versatile malware with a broad range of capabilities. These include executing arbitrary shell commands, stealing cookies from Chrome, Firefox, Opera, and Edge, uploading and downloading files, listing the contents of the filesystem, and enumerating and exfiltrating documents in an archive.

Evolution of ColdRiver’s TTPs

ColdRiver’s tactics have consistently evolved to keep researchers off their trail. As an example, in August, they changed their entire attack and phishing infrastructure for a network of 94 new domains. The integration of custom malware like Spica into their campaigns allows for a broader range of capabilities to conduct their operations.

In light of the threat posed by ColdRiver and Spica, potential targets should implement safeguards against domain impersonation, robust email security protocols like DMARC, SPF, and DKIM, and Enhanced Safe Browsing for Chrome. Regular updates for all devices and careful vetting of previously unknown entities claiming to be colleagues or field experts are also recommended.

The emergence of Spica as a new tool in ColdRiver’s arsenal marks a significant shift in the cyber threat landscape. While the cybersecurity community continues to monitor and counter these evolving threats, individuals and organizations need to remain vigilant and adopt robust security measures to mitigate the risk of falling victim to these increasingly sophisticated cyberattacks.

If you liked this article, we advise you to read our previous article about Toyota ransomware attack. Follow us on Twitter and LinkedIn for more content.

Stay up to date with exposed information online. Kaduu with its cyber threat intelligence service offers an affordable insight into the darknet, social media and deep web.