COLDRIVER | |
Other Names | Cold River |
Location | Russia |
Date of Initial Activity | 2019 |
Suspected Attribution | APT |
Associated Tools | DNSpionage SPICA |
Motivation | Espionage |
Software | Database |
Overview
Common targets
- Public Administration
- Information
- Professional, Scientific, and Technical Services
- Individuals
- United States
- Lebanon
- Canada
- India
- United Arab Emirates
Attack Vectors
Phishing
Software Vulnerabilities
How they operate
At the core of COLDRIVER’s operations is their phishing infrastructure, which uses impersonation techniques to trick individuals into clicking malicious links or downloading compromised documents. In many of their campaigns, the group creates fake profiles of individuals who are supposedly experts or colleagues within the same industry or organization as their targets. This allows them to establish trust with the victims before sending malicious emails, often disguised as harmless documents or links. By utilizing social engineering, COLDRIVER effectively deceives victims into interacting with these malicious emails, opening the door for credential theft and other forms of exploitation.
One of the key developments in COLDRIVER’s toolkit is their adoption of malware delivery as part of their phishing campaigns. The group has been observed using PDF documents as lures, embedding them with malware to establish a foothold on the victim’s machine. These documents are often presented as innocuous, such as drafts of articles or op-eds, making it more likely that the target will open them. Once the victim opens the document, it appears to be benign, but a hidden malicious payload is delivered through a decryption utility. This utility, when downloaded, serves not as a legitimate decryption tool but as a backdoor to the victim’s system, granting COLDRIVER access to execute commands remotely.
The backdoor used by COLDRIVER, known as SPICA, is a Rust-based piece of malware designed to evade detection and establish persistence. SPICA operates through a command-and-control (C2) mechanism over websockets, which is a technique that helps it remain undetected by traditional network monitoring tools. Once installed, SPICA gives attackers full control over the compromised machine, allowing them to execute arbitrary shell commands, steal cookies from popular browsers (like Chrome, Firefox, Opera, and Edge), and exfiltrate sensitive documents. One of its notable capabilities is the ability to enumerate files and upload them back to the attacker’s server, providing a means to gather sensitive information over time.
COLDRIVER also uses obfuscated PowerShell commands to establish persistence on the compromised machine. By creating scheduled tasks such as “CalendarChecker,” they ensure that their malware survives reboots and continues to operate even after system restarts. These techniques make it difficult for defenders to completely remove the malware, as the scheduled tasks reinitiate the attack process. The use of decoy documents further complicates detection efforts, as it masks the malware’s true intent, presenting the victim with a seemingly harmless document that distracts from the malicious activities occurring in the background.
In addition to its operational complexity, COLDRIVER’s campaigns show an evolving pattern of activity. The group has adapted to counter detection mechanisms, altering its tools and techniques in response to security solutions. Their use of cloud storage sites to host malicious payloads, alongside their ability to dynamically change command-and-control infrastructure, makes it harder for defenders to track and block their activities effectively. Moreover, the malware variants used by COLDRIVER are tailored to the specific target, with different embedded documents for each campaign, further complicating threat detection and analysis.
COLDRIVER’s technical sophistication underscores the growing risk posed by state-sponsored threat actors. Their shift from credential phishing to full-fledged malware operations reflects a broader trend of increasingly aggressive cyber espionage tactics. As they continue to refine their capabilities, COLDRIVER remains a formidable threat to global security, particularly for governments, defense contractors, and international organizations. To mitigate the risk of such attacks, it is crucial for organizations to implement advanced threat detection mechanisms, including robust phishing defense measures and continuous monitoring of suspicious network activities. Only through a proactive, multi-layered defense strategy can the impact of groups like COLDRIVER be minimized.
