The PolySwarm Blog

Analyze suspicious files and URLs, at scale, millions of times per day. Get real-time threat intel from a crowdsourced network of security experts and antivirus companies competing to protect you.

ColdRiver Using Spica Backdoor

Feb 2, 2024 1:06:16 PM / by The Hivemind

ColdRiver

Executive Summary

Russia nexus threat actor group ColdRiver was recently observed using Spica backdoor in an espionage campaign.

Key Takeaways

  • Russia nexus threat actor group ColdRiver was recently observed using Spica backdoor in an espionage campaign. 
  • Spica is written in Rust and is the first custom malware developed by ColdRiver.
  • Spica is delivered via a phishing campaign.
  • Spica appears to have only been used against a limited number of selectively targeted victims

What is Spica?

Russia nexus threat actor group ColdRiver was recently observed using a custom backdoor in its espionage and influence campaigns. Dubbed Spica, the backdoor appears to have only been used against a limited number of selectively targeted victims. Spica is written in Rust and is the first custom malware developed and used by ColdRiver. Google Threat Analysis Group reported on Spica.

ColdRiver is known to engage in social engineering and phishing attacks, impersonating a legitimate entity to gain rapport with the target. Once a trust relationship with the target has been established, the threat actors send a phishing link or a document containing a malicious link to the victim.

In this campaign, the threat actors appear to have used PDFs as lure documents to deliver the malware. The threat actors sent the victim what appears to be an encrypted PDF. When the victim states they are unable to read the document, the threat actor sends the victim a link to what they state is a “decryption utility.” The “decryption utility” displays a decoy document to trick the victim into believing the utility is legitimate. However, the “utility” is the Spica backdoor.

Spica uses JSON over websockets for C2 and allows the threat actors to execute commands on victim machines. Its other capabilities include stealing browser cookies, uploading and downloading files, listing file system contents, and enumerating and exfiltrating documents. Spica uses an obfuscated PowerShell command to create a scheduled task, establishing persistence.

Google Threat Analysis Group states Spica was observed in use as early as September 2023, although the group may have been using the malware since at least  November 2022. While they have observed multiple variants of the lure document, thus far, they have only documented a single instance of Spica.

Who is ColdRiver?

ColdRiver, also known as UNC4057, Star Blizzard, Blue Charlie, TA446, Gossamer Bear, and Callisto, is a Russia nexus threat actor group. ColdRiver has been active since at least 2014 and is known to target NGOs, former military and intelligence officers, academic institutions, and NATO governments. The group relies heavily on phishing attacks, and their attacks appear to be espionage-driven.

IOCs

PolySwarm has a sample of Spica.

 

37c52481711631a5c73a6341bd8bea302ad57f02199db7624b580058547fb5a9

 

You can use the following CLI command to search for all Spica samples in our portal:

$ polyswarm link list -f Spica

 

You can use the following CLI command to search for all ColdRiver samples in our portal:

$ polyswarm link list -t ColdRiver

 

Don’t have a PolySwarm account? Go here to sign up for a free Community plan or to subscribe.

Contact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports.

 

Topics: Russia, Threat Bulletin, Backdoor, Spica, ColdRiver

The Hivemind

Written by The Hivemind

Subscribe to Email Updates

Lists by Topic

see all

Posts by Topic

See all

Recent Posts

Join the Marketplace

For Enterprises and Businesses

Learn More

For Security Experts and AV Companies

Learn More