In recent observations, the COLDRIVER threat actor, associated with Russia, has shown a shift in its tactics. What catches the eye is their adoption of Rust, a programming language, for custom malware.
Google’s Threat Analysis Group (TAG) reports that this new malware is delivered through the use of PDFs, posing as documents to initiate the infection process.
The attackers are adept at sending these decoy files from impersonation accounts, creating a camouflage to carry out their activities.
Scope of Attack
COLDRIVER is targeting a broad spectrum of sectors. This includes academia, defense, governmental organizations, NGOs, think tanks, political outfits, and more recently, defense-industrial targets and energy facilities.
The U.K. and the U.S. seem to be the primary targets, although activity has also been noticed in other NATO countries and those neighboring Russia.
Modus Operandi
The group’s modus operandi involves spear-phishing campaigns designed to build trust with potential victims. Their ultimate goal is to trick individuals into sharing their credentials through bogus sign-in pages.
Microsoft’s analysis highlights the use of server-side scripts to prevent automated scanning, showcasing the group’s sophistication in evading detection.
According to Google TAG, COLDRIVER has been using benign PDF documents since November 2022. These documents appear as new articles or op-eds, seeking feedback from the target.
Upon opening, the text in these PDFs seems encrypted, adding a layer of deception. If a user expresses an inability to read the document, the threat actor responds with a link to a supposed decryption tool (“Proton-decrypter.exe”) hosted on a cloud storage service.
The choice of the name “Proton-decrypter.exe” is interesting, as it aligns with the group’s preference for Proton Drive. However, it turns out that this “decryptor” is a backdoor named SPICA.
Targeted Approach and Countermeasures
While the exact number of victims remains unknown, Google TAG suspects that SPICA was used in very limited, targeted attacks.
The focus appears to be on high-profile individuals in NGOs, former intelligence and military officials, and defense, and NATO governments.
In response to this threat, Google TAG has taken action by adding known websites, domains, and files associated with COLDRIVER to Safe Browsing blocklists.
Docker Services Face Unseen Cyber Attack
Cybercriminals are targeting vulnerable Docker services in a new wave of attacks. The attackers are using a dual strategy, deploying the XMRig cryptocurrency miner and the 9Hits Viewer software to maximize their gains.
9Hits Viewer as Malware Payload
Security experts at Cado have identified a malware is using the 9Hits application as a payload. This marks a shift in the tactics of adversaries, indicating a constant search for new ways to profit from compromised systems.
Image Description: Processes being run by the 9hits container.
Originally marketed as a “unique web traffic solution,” 9Hits allows users to exchange credits for driving traffic to their websites. The 9Hits Viewer software, running a headless Chrome browser, visits requested websites, earning users credits.
Attack Methodology
While the precise method of malware tactics remains unclear, it is suspected that search engines like Shodan are used to identify potential targets.
Once servers are compromised, two malicious containers are deployed through the Docker API, leveraging off-the-shelf images from the Docker Hub library.
Moving Forward With Vigilance
The U.K. and U.S. governments imposed sanctions on two Russian members of COLDRIVER, highlighting the seriousness of their activities, a month ago.
The cybersecurity firm Sekoia also highlighted links between one of the sanctioned individuals and the group’s infrastructure, to keep us aware of cyber operations.
Similarly, with Dockers, there’s also the looming risk of the campaign evolving to leave a remote shell on systems, which might lead to more severe breaches.
The idea is to stay vigilant individually and as a society.
Anas Hasan
January 19, 2024
4 months ago
