SPICA Backdoor

The threat actor COLDRIVER, linked to Russia, has been observed expanding its operations beyond credential harvesting. It has introduced its first custom malware developed in the Rust programming language that is being tracked as the SPICA backdoor. The attack strategies associated with COLDRIVER utilize PDFs as decoy documents to initiate the infection sequence, with the deceptive emails originating from impersonation accounts.

COLDRIVER, alternatively recognized as Blue Callisto, BlueCharlie (TAG-53), Calisto (Callisto), Dancing Salome, Gossamer Bear, Star Blizzard (formerly SEABORGIUM), TA446, and UNC4057, has been active since 2019. Its targets span diverse sectors, including academia, defense, government entities, non-governmental organizations, think tanks, political entities, and, more recently, defense-industrial and energy facilities.

Spear-Phishing Tactics Utilized by COLDRIVER to Deliver Malware

Spear-phishing campaigns mounted by the group are designed to engage and build trust with the prospective victims with the ultimate goal of sharing bogus sign-in pages to harvest their credentials and gain access to the accounts. The cybercrime group has been observed using server-side scripts to prevent automated scanning of the actor-controlled infrastructure and determine targets of interest before redirecting them to the phishing landing pages.

The threat actor has been using benign PDF documents as a starting point as far back as November 2022 to entice the targets into opening the files. COLDRIVER presents these documents as a new op-ed or another type of article that the impersonation account is looking to publish, asking for feedback from the target. When the user opens the benign PDF, the text appears encrypted.

In the event, the recipient responds to the message stating they cannot read the document and the threat actor responds with a link to a purported decryption tool ('Proton-decrypter.exe') hosted on a cloud storage service. The choice of the name 'Proton-decrypter.exe' is notable because the adversary predominantly uses Proton Drive to send the PDF lures through the phishing messages.

The SPICA Backdoor is Dropped Under the Guise of a Decrypter

In actuality, the decryptor functions as a backdoor threat known as SPICA, allowing COLDRIVER to discreetly access the system while simultaneously presenting a decoy document to maintain the deception. SPICA, COLDRIVER's inaugural custom malware, utilizes JSON over WebSockets for Command-and-Control (C2), facilitating various actions such as executing arbitrary shell commands, pilfering cookies from web browsers, uploading and downloading files, and enumerating and exfiltrating data. Persistence is established through a scheduled task.

Upon execution, SPICA decodes an embedded PDF, saves it to the disk, and opens it as a decoy for the user. Simultaneously, it establishes persistence and initiates the primary C2 loop, awaiting commands for execution in the background.

Evidence suggests that the nation-state actor began using this implant as early as November 2022. The cybersecurity team has identified multiple variants of the 'encrypted' PDF lure, indicating the possible existence of different versions of SPICA tailored to specific lure documents sent to targets.

Researchers suspect that the SPICA Backdoor has been employed in highly targeted and limited attacks, with a focus on prominent individuals within NGOs, former intelligence and military officials, defense sectors and NATO governments.