COLDRIVER, a Russia-linked threat actor, has evolved its tactics by introducing a new custom malware, SPICA, written in the Rust programming language. Google’s Threat Analysis Group (TAG) revealed that COLDRIVER has shifted from traditional credential harvesting to employing PDF decoy documents in spear-phishing campaigns to deliver the SPICA backdoor. The threat actor has been active since 2019, targeting various sectors, including defense, governmental organizations, NGOs, and energy facilities. The latest development showcases COLDRIVER’s focus on high-profile individuals in targeted and limited cyber intrusions.
In these cyber operations, COLDRIVER uses benign PDFs as decoys, presenting them as new op-eds or articles seeking feedback. When recipients open the benign PDF, the text appears encrypted, prompting the threat actor to provide a link to a purported decryption tool, named “Proton-decrypter.exe.” However, this tool is revealed to be the SPICA backdoor, hosted on Proton Drive. SPICA employs JSON over WebSockets for command-and-control, facilitating various malicious activities, such as executing commands, file operations, and data exfiltration.
The SPICA backdoor represents a notable advancement in COLDRIVER’s capabilities, granting covert access to compromised machines while maintaining a decoy document to mislead targets. Google TAG has taken preventive measures by adding known COLDRIVER-associated elements to Safe Browsing blocklists to disrupt their operations. While the full scope of compromise remains uncertain, these cyber intrusions appear to target high-profile individuals, highlighting the threat actor’s emphasis on specific and limited attacks.