Brother
Professional
- Messages
- 2,590
- Reaction score
- 539
- Points
- 113
Native malware helped hackers achieve their goals.
The hacker group COLDRIVER has improved its methods and started distributing its first proprietary malware written in the Rust programming language.
This was reported by the threat analysis group Google TAG, which shared details about the latest activity of hackers. According to experts, attackers use PDF files as bait to start the infection process. Traps are sent from fake accounts.
Attackers used PDF documents as a starting point from November 2022 to get targets interested in opening the files. COLDRIVER presents the documents as a new article that the sender wants to publish, and asks the recipient to write their review. When the user opens the PDF, they see the encrypted text.
PDF document with encrypted text
If the recipient responds to the message stating that they can't read the document, the hacker responds with a link to a supposedly decryption tool ("Proton-decrypter.exe") hosted on the Proton Drive cloud storage. In fact, the decryptor is a backdoor called SPICA that provides COLDRIVER with hidden access to the device, while simultaneously displaying a fake document to hide the hack. At the same time, the backdoor connects to the C2 server in the background.
SPICA, which is the first proprietary malware developed and used by COLDRIVER, uses JSON on top of WebSockets for Command and Control (C2), providing the following capabilities:
As part of its efforts to prevent the campaign and further exploitation, the Google TAG team has added all known COLDRIVER-related websites, domains, and files to the Google Safe Browsing blacklists. Google said it did not have information on the number of SPICA victims, but suspected that the backdoor was used only in "very limited targeted attacks," adding that the focus was on senior figures in NGOs, former intelligence officers and military personnel, as well as representatives of the Ministry of Defense and governments of different countries.
The hacker group COLDRIVER has improved its methods and started distributing its first proprietary malware written in the Rust programming language.
This was reported by the threat analysis group Google TAG, which shared details about the latest activity of hackers. According to experts, attackers use PDF files as bait to start the infection process. Traps are sent from fake accounts.
Attackers used PDF documents as a starting point from November 2022 to get targets interested in opening the files. COLDRIVER presents the documents as a new article that the sender wants to publish, and asks the recipient to write their review. When the user opens the PDF, they see the encrypted text.
PDF document with encrypted text
If the recipient responds to the message stating that they can't read the document, the hacker responds with a link to a supposedly decryption tool ("Proton-decrypter.exe") hosted on the Proton Drive cloud storage. In fact, the decryptor is a backdoor called SPICA that provides COLDRIVER with hidden access to the device, while simultaneously displaying a fake document to hide the hack. At the same time, the backdoor connects to the C2 server in the background.
SPICA, which is the first proprietary malware developed and used by COLDRIVER, uses JSON on top of WebSockets for Command and Control (C2), providing the following capabilities:
- executing custom shell commands;
- stealing cookies from web browsers;
- uploading and downloading files;
- listing and exfiltration of files;
- achieving persistence with a scheduled task.
As part of its efforts to prevent the campaign and further exploitation, the Google TAG team has added all known COLDRIVER-related websites, domains, and files to the Google Safe Browsing blacklists. Google said it did not have information on the number of SPICA victims, but suspected that the backdoor was used only in "very limited targeted attacks," adding that the focus was on senior figures in NGOs, former intelligence officers and military personnel, as well as representatives of the Ministry of Defense and governments of different countries.
