Russia nexus threat actor group ColdRiver was recently observed using Spica backdoor in an espionage campaign.
- Russia nexus threat actor group ColdRiver was recently observed using Spica backdoor in an espionage campaign.
- Spica is written in Rust and is the first custom malware developed by ColdRiver.
- Spica is delivered via a phishing campaign.
- Spica appears to have only been used against a limited number of selectively targeted victims
What is Spica?
Russia nexus threat actor group ColdRiver was recently observed using a custom backdoor in its espionage and influence campaigns. Dubbed Spica, the backdoor appears to have only been used against a limited number of selectively targeted victims. Spica is written in Rust and is the first custom malware developed and used by ColdRiver. Google Threat Analysis Group reported on Spica.
ColdRiver is known to engage in social engineering and phishing attacks, impersonating a legitimate entity to gain rapport with the target. Once a trust relationship with the target has been established, the threat actors send a phishing link or a document containing a malicious link to the victim.
In this campaign, the threat actors appear to have used PDFs as lure documents to deliver the malware. The threat actors sent the victim what appears to be an encrypted PDF. When the victim states they are unable to read the document, the threat actor sends the victim a link to what they state is a “decryption utility.” The “decryption utility” displays a decoy document to trick the victim into believing the utility is legitimate. However, the “utility” is the Spica backdoor.
Spica uses JSON over websockets for C2 and allows the threat actors to execute commands on victim machines. Its other capabilities include stealing browser cookies, uploading and downloading files, listing file system contents, and enumerating and exfiltrating documents. Spica uses an obfuscated PowerShell command to create a scheduled task, establishing persistence.
Google Threat Analysis Group states Spica was observed in use as early as September 2023, although the group may have been using the malware since at least November 2022. While they have observed multiple variants of the lure document, thus far, they have only documented a single instance of Spica.
Who is ColdRiver?
ColdRiver, also known as UNC4057, Star Blizzard, Blue Charlie, TA446, Gossamer Bear, and Callisto, is a Russia nexus threat actor group. ColdRiver has been active since at least 2014 and is known to target NGOs, former military and intelligence officers, academic institutions, and NATO governments. The group relies heavily on phishing attacks, and their attacks appear to be espionage-driven.
PolySwarm has a sample of Spica.
You can use the following CLI command to search for all Spica samples in our portal:
$ polyswarm link list -f Spica
You can use the following CLI command to search for all ColdRiver samples in our portal:
$ polyswarm link list -t ColdRiver