ColdRiver, a Russia-backed advanced persistent threat (APT) group, has advanced cyber espionage tactics by introducing a custom malware named "Spica." This marks a substantial departure from their traditional long-con credential phishing methods. Google's Threat Analysis Group (TAG) has been actively instrumental in tracking ColdRiver's activities, highlighting their ever-evolving techniques.

This Threat Research aims to extend this analysis of ColdRiver, dissecting and scrutinizing the critical underlying aspects of its Spica malware, emphasizing the threat landscape and potential countermeasures.

Contextual Background

ColdRiver, also known as Blue Charlie, Callisto, Star Blizzard, or UNC4057, primarily targets high-profile individuals in NGOs, former intelligence and military officials, and NATO governments. Historically focused on credential phishing, the group has now extended its capabilities to deliver malware, specifically using PDFs as lure documents.

Evolution of Tactics

The progression from traditional phishing to malware delivery is a strategic transition observed by TAG.

ColdRiver employs impersonation accounts, posing as experts or individuals affiliated with the target, to establish trust. Recent findings reveal an intricate tactic where benign PDFs, presented as op-eds or articles, are delivered to targets. If the target cannot decipher the encrypted content, a link to a "decryption" utility is sent, introducing the Spica backdoor.

Spica Malware Analysis

Infiltration and Execution

Spica, written in Rust, utilizes JSON over websockets for command and control (C2). Upon execution, it decodes an embedded PDF, serving as a decoy while establishing persistence and connecting to the C2 server. The malware deploys an obfuscated PowerShell command, creating a scheduled task named "CalendarChecker" for persistence.

Functional Capabilities

Spica functions as a versatile tool, executing arbitrary shell commands, stealing cookies from various browsers, uploading and downloading files, perusing the filesystem, and enumerating documents for exfiltration. The presence of multiple variants suggests a continuous evolution of the backdoor.

Timeline and Persistence

TAG first observed Spica in September 2023, but they believe its usage dates back to November 2022. The malware, identified as "Proton-decrypter.exe," was likely active around August and September 2023. TAG notes the potential existence of multiple Spica versions, each with distinct embedded decoy documents.

Implications and Targets

ColdRiver's strategic shift indicates a desire for broader capabilities, allowing them to conduct operations beyond conventional phishing. The targets include Ukraine, NATO countries, academic institutions, and NGOs. While specific victim profiles remain undisclosed, TAG emphasizes the limited and targeted use of Spica, aligning with ColdRiver's established tactics.

Defensive Measures

To counter the ColdRiver threat, TAG emphasizes proactive security measures. All identified domains, websites, and files associated with the threat are added to Safe Browsing blocklists. Gmail and Workspace users targeted by government-backed attackers receive alerts, encouraging them to enable Enhanced Safe Browsing for Chrome and ensure device updates.

Code and Technical Insights

Spica Backdoor Code

TAG provides a YARA rule for detecting the Spica backdoor, outlining specific strings and patterns indicative of its presence. This code analysis aids cybersecurity professionals in identifying and mitigating potential threats.

rule SPICA__Strings {
  meta:
    author = “Google TAG”
    description = "Rust backdoor using websockets for C2 and embedded decoy PDF"
    hash = "37c52481711631a5c73a6341bd8bea302ad57f02199db7624b580058547fb5a9"
  strings:
    $s1 = "os_win.c:%d: (%lu) %s(%s) - %s"
    $s2 = "winWrite1"
    $s3 = "winWrite2"
    $s4 = "DNS resolution panicked"
    $s5 = "struct Dox"
    $s6 = "struct Telegram"
    $s8 = "struct Download"
    $s9 = "spica"
    $s10 = "Failed to open the subkey after setting the value."
    $s11 = "Card Holder: Bull Gayts"
    $s12 = "Card Number: 7/ 3310 0195 4865"
    $s13 = "CVV: 592"
    $s14 = "Card Expired: 03/28"
    $a0 = "agent\\src\\archive.rs"
    $a1 = "agent\\src\\main.rs"
    $a2 = "agent\\src\\utils.rs"
    $a3 = "agent\\src\\command\\dox.rs"
    $a4 = "agent\\src\\command\\shell.rs"
    $a5 = "agent\\src\\command\\telegram.rs"
    $a6 = "agent\\src\\command\\mod.rs"
    $a7 = "agent\\src\\command\\mod.rs"
    $a8 = "agent\\src\\command\\cookie\\mod.rs"
    $a9 = "agent\\src\\command\\cookie\\browser\\mod.rs"
    $a10 = "agent\\src\\command\\cookie\\browser\\browser_name.rs"
  condition:
    7 of ($s*) or 5 of ($a*)
}.

Conclusion

ColdRiver's adoption of the Spica malware turned out to be a calculated evolution in their threat evolution. This extended analysis presented here offers a thorough breakdown of these tactics and techniques, Spica's technical intricacies, and recommended defensive measures.