Russian threat group COLDRIVER expands its targeting of Western officials to include the use of malware

Over the years, TAG has analyzed a range of persistent threats including COLDRIVER (also known as UNC4057, Star Blizzard and Callisto), a Russian threat group focused on credential phishing activities against high profile individuals in NGOs, former intelligence and military officers, and NATO governments. For years, TAG has been countering and reporting on this group’s efforts to conduct espionage aligned with the interests of the Russian government. To add to the community’s understanding of COLDRIVER activity, we’re shining light on their extended capabilities which now includes the use of malware.
多年来，TAG分析了一系列持续性威胁，包括COLDRIVER（也称为UNC4057，Star Blizzard和Callisto），这是一个俄罗斯威胁组织，专注于针对非政府组织，前情报和军官以及北约政府中的知名人士的凭据网络钓鱼活动。多年来，TAG一直在反击和报道该组织进行符合俄罗斯政府利益的间谍活动。为了增加社区对 COLDRIVER 活动的理解，我们将重点介绍它们的扩展功能，现在包括使用恶意软件。

COLDRIVER continues its focus on credential phishing against Ukraine, NATO countries, academic institutions and NGOs. In order to gain the trust of targets, COLDRIVER often utilizes impersonation accounts, pretending to be an expert in a particular field or somehow affiliated with the target. The impersonation account is then used to establish a rapport with the target, increasing the likelihood of the phishing campaign’s success, and eventually sends a phishing link or document containing a link. Recently published information on COLDRIVER highlights the group’s evolving tactics, techniques and procedures (TTPs), to improve its detection evasion capabilities.
COLDRIVER 继续专注于针对乌克兰、北约国家、学术机构和非政府组织的凭证网络钓鱼。为了获得目标的信任，COLDRIVER经常使用冒充帐户，假装是特定领域的专家或以某种方式与目标有关联。然后，使用模拟帐户与目标建立融洽的关系，增加网络钓鱼活动成功的可能性，并最终发送网络钓鱼链接或包含链接的文档。最近发布的关于COLDRIVER的信息强调了该组织不断发展的策略、技术和程序（TTP），以提高其检测规避能力。

Recently, TAG has observed COLDRIVER continue this evolution by going beyond phishing for credentials, to delivering malware via campaigns using PDFs as lure documents. TAG has disrupted the following campaign by adding all known domains and hashes to Safe Browsing blocklists.
最近，TAG观察到COLDRIVER继续这种演变，超越了网络钓鱼以获取凭据，而是通过使用PDF作为诱饵文档的活动来传递恶意软件。TAG 已将所有已知网域和哈希值添加到安全浏览黑名单中，从而中断了以下活动。

“Encrypted” lure-based malware delivery
基于诱饵的“加密”恶意软件交付

As far back as November 2022, TAG has observed COLDRIVER sending targets benign PDF documents from impersonation accounts. COLDRIVER presents these documents as a new op-ed or other type of article that the impersonation account is looking to publish, asking for feedback from the target. When the user opens the benign PDF, the text appears encrypted.
早在 2022 年 11 月，TAG 就观察到 COLDRIVER 从冒充帐户发送良性 PDF 文档的目标。COLDRIVER 将这些文档呈现为冒充帐户希望发布的新专栏文章或其他类型的文章，要求目标提供反馈。当用户打开良性 PDF 时，文本显示为加密。

If the target responds that they cannot read the encrypted document, the COLDRIVER impersonation account responds with a link, usually hosted on a cloud storage site, to a “decryption” utility for the target to use. This decryption utility, while also displaying a decoy document, is in fact a backdoor, tracked as SPICA, giving COLDRIVER access to the victim’s machine.
如果目标响应他们无法读取加密的文档，则 COLDRIVER 模拟帐户会使用指向目标使用的“解密”实用程序的链接（通常托管在云存储站点上）进行响应。这个解密实用程序，虽然还显示了一个诱饵文档，但实际上是一个后门，被跟踪为 SPICA，使 COLDRIVER 能够访问受害者的机器。

In 2015 and 2016, TAG observed COLDRIVER using the Scout implant that was leaked during the Hacking Team incident of July 2015. SPICA represents the first custom malware that we attribute being developed and used by COLDRIVER.
在 2015 年和 2016 年，TAG 观察到 COLDRIVER 使用了在 2015 年 7 月的黑客团队事件中泄露的 Scout 植入物。SPICA代表了我们归因于COLDRIVER开发和使用的第一个自定义恶意软件。

SPICA backdoor SPICA后门

SPICA is written in Rust, and uses JSON over websockets for command and control (C2). It supports a number of commands including:
SPICA 是用 Rust 编写的，并使用 JSON over websockets 进行命令和控制 （C2）。它支持许多命令，包括：

• Executing arbitrary shell commands
  执行任意 shell 命令
• Stealing cookies from Chrome, Firefox, Opera and Edge
  从 Chrome、Firefox、Opera 和 Edge 中窃取 Cookie
• Uploading and downloading files
  上传和下载文件
• Perusing the filesystem by listing the contents of it
  通过列出文件系统的内容来仔细阅读文件系统
• Enumerating documents and exfiltrating them in an archive
  枚举文档并将其泄露到存档中
• There is also a command called “telegram,” but the functionality of this command is unclear
  还有一个名为“telegram”的命令，但该命令的功能尚不清楚

Once executed, SPICA decodes an embedded PDF, writes it to disk, and opens it as a decoy for the user. In the background, it establishes persistence and starts the main C2 loop, waiting for commands to execute.
执行后，SPICA 会解码嵌入的 PDF，将其写入磁盘，然后将其作为用户的诱饵打开。在后台，它建立持久性并启动主 C2 循环，等待命令执行。

The backdoor establishes persistence via an obfuscated PowerShell command which creates a scheduled task named CalendarChecker:
后门通过模糊处理的 PowerShell 命令建立持久性，该命令创建名为 CalendarChecker 的计划任务：

TAG has observed SPICA being used as early as September 2023, but believe that COLDRIVER’s use of the backdoor goes back to at least November 2022. While TAG has observed four different variants of the initial “encrypted” PDF lure, we have only been able to successfully retrieve a single instance of SPICA. This sample, ​​named “Proton-decrypter.exe”, used the C2 address 45.133.216[.]15:3000, and was likely active around August and September 2023.
TAG早在2023年9月就观察到SPICA被使用，但认为COLDRIVER对后门的使用至少可以追溯到2022年11月。虽然TAG已经观察到初始“加密”PDF诱饵的四种不同变体，但我们只能成功检索到SPICA的单个实例。此示例名为“Proton-decrypter.exe”，使用 C2 地址 45.133.216[.]15：3000，可能在 2023 年 8 月和 9 月左右活跃。

We believe there may be multiple versions of the SPICA backdoor, each with a different embedded decoy document to match the lure document sent to targets.
我们认为SPICA后门可能有多个版本，每个版本都有不同的嵌入式诱饵文件，以匹配发送给目标的诱饵文件。

Protecting the community 保护社区

As part of our efforts to combat serious threat actors, TAG uses the results of our research to improve the safety and security of Google’s products. Upon discovery, all identified websites, domains and files are added to Safe Browsing to protect users from further exploitation. TAG also sends all targeted Gmail and Workspace users government-backed attacker alerts notifying them of the activity and encourages potential targets to enable Enhanced Safe Browsing for Chrome and ensure that all devices are updated.
为了打击严重的威胁行为者，TAG 会利用我们的研究结果来提高 Google 产品的安全性。发现后，所有已识别的网站、域名和文件都会添加到安全浏览中，以保护用户免受进一步利用。TAG 还会向所有目标 Gmail 和 Workspace 用户发送政府支持的攻击者警报，通知他们该活动，并鼓励潜在目标启用 Chrome 增强型安全浏览功能，并确保所有设备都已更新。

We are committed to sharing our findings with the security community to raise awareness, and with companies and individuals that might have been targeted by these activities. We hope that improved understanding of tactics and techniques will enhance threat hunting capabilities and lead to stronger user protections across the industry.
我们致力于与安全社区分享我们的发现，以提高人们的认识，并与可能成为这些活动目标的公司和个人分享我们的发现。我们希望通过提高对策略和技术的理解来增强威胁搜寻能力，并在整个行业内实现更强大的用户保护。

Indicators of compromise (IoCs)
入侵指标 （IoC）

Hashes of observed lure documents “Encrypted” PDFs
观察到的诱饵文档“加密”PDF 的哈希值

SHA256 SHA256的

0f6b9d2ada67cebc8c0f03786c442c61c05cef5b92641ec4c1bdd8f5baeb2ee1

(first observed November 2022)
（2022 年 11 月首次观测）

A949ec428116489f5e77cefc67fea475017e0f50d2289e17c3eb053072adcf24

(first observed June 2023)
（2023 年 6 月首次观测）

C97acea1a6ef59d58a498f1e1f0e0648d6979c4325de3ee726038df1fc2e831d

(first observed August 2023)
（2023 年 8 月首次观测）

Ac270310b5410e7430fe7e36a079525cd8724b002b38e13a6ee6e09b326f4847

(first observed November 2023)
（2023年11月首次观测）

SPICA Instance SPICA实例

84523ddad722e205e2d52eedfb682026928b63f919a7bf1ce6f1ad4180d0f507

ZIP file, hosted on cloud storage. Delivered to target after initial lure PDF.
ZIP 文件，托管在云存储上。在初始诱饵 PDF 后交付给目标。

37c52481711631a5c73a6341bd8bea302ad57f02199db7624b580058547fb5a9

SPICA backdoor. Named “Proton-decrypter.exe”.
SPICA后门。命名为“Proton-decrypter.exe”。

C97acea1a6ef59d58a498f1e1f0e0648d6979c4325de3ee726038df1fc2e831d

Lure document, likely to provide legitimacy to zip file.
诱饵文档，可能为 zip 文件提供合法性。

C2

https[://]45.133.216[.]15:3000/ws
https[：//]45.133.216[.]15：3000/秒

YARA Rule YARA规则

rule SPICA__Strings { 规则 SPICA__Strings {
meta: 元：

author = “Google TAG” author = “谷歌标签”
description = “Rust backdoor using websockets for c2 and embedded decoy PDF”
description = “使用 websockets for c2 和嵌入式诱饵 PDF 的 Rust 后门”
hash = “37c52481711631a5c73a6341bd8bea302ad57f02199db7624b580058547fb5a9”
哈希 = “37c52481711631a5c73a6341bd8bea302ad57f02199db7624b580058547fb5a9”
strings: 字符串：
$s1 = “os_win.c:%d: (%lu) %s(%s) – %s”
$s 1 = “os_win.c：%d： （%lu） %s（%s） – %s”
$s2 = “winWrite1” $s 2 = “winWrite1”
$s3 = “winWrite2” $s 3 =“winWrite2”
$s4 = “DNS resolution panicked”
$s 4 =“DNS 解析崩溃”
$s5 = “struct Dox”
$s 5 = “结构 Dox”
$s6 = “struct Telegram”
$s 6 = “结构电报”
$s8 = “struct Download”
$s 8 = “struct 下载”
$s9 = “spica” $s 9 = “spica”
$s10 = “Failed to open the subkey after setting the value.”
$s 10 =“设置值后无法打开子项。
$s11 = “Card Holder: Bull Gayts”
$s 11 = “持卡人：Bull Gayts”
$s12 = “Card Number: 7/ 3310 0195 4865”
$s 12 = “卡号： 7/ 3310 0195 4865”
$s13 = “CVV: 592”
$s 13 = “CVV：592”
$s14 = “Card Expired: 03/28”
$s 14 = “卡已过期：03/28”

$a0 = “agent\\src\\archive.rs”
$a 0 =“代理\\src\\archive.rs”
$a1 = “agent\\src\\main.rs”
$a 1 =“代理\\src\\main.rs”
$a2 = “agent\\src\\utils.rs”
$a 2 =“代理\\src\\utils.rs”
$a3 = “agent\\src\\command\\dox.rs”
$a 3 =“代理\\src\\command\\dox.rs”
$a4 = “agent\\src\\command\\shell.rs”
$a 4 =“代理\\src\\command\\shell.rs”
$a5 = “agent\\src\\command\\telegram.rs”
$a 5 =“代理\\src\\command\\telegram.rs”
$a6 = “agent\\src\\command\\mod.rs”
$a 6 =“代理\\src\\command\\mod.rs”
$a7 = “agent\\src\\command\\mod.rs”
$a 7 =“代理\\src\\command\\mod.rs”
$a8 = “agent\\src\\command\\cookie\\mod.rs”
$a 8 =“代理\\src\\命令\\cookie\\mod.rs”
$a9 = “agent\\src\\command\\cookie\\browser\\mod.rs”
$a 9 =“代理\\src\\command\\cookie\\browser\\mod.rs”
$a10 = “agent\\src\\command\\cookie\\browser\\browser_name.rs”
$a 10 =“代理\\src\\command\\cookie\\browser\\browser_name.rs”
condition: 条件：
7 of ($s*) or 5 of ($a*)
7 个 （$s*） 或 5 个 （$a*）
}