The ColdRiver APT (aka “Seaborgium“, “Callisto”, “Star Blizzard”, “TA446”) is a Russian cyberespionage outfit that has been targeting government officials, military personnel, journalists and think tanks since at least 2015.
The threat actor has previously engaged in ongoing phishing and credential theft efforts that resulted in intrusions and data theft. Although specialists have noticed efforts targeting the Baltics, Nordics, and Eastern Europe regions, including Ukraine, the APT predominantly targets NATO member states.
Google TAG researchers have warned against COLDRIVER, claiming that it is enhancing its tactics techniques and procedures (TTPs), in order to evade detection.
TAG has recently seen COLDRIVER use phishing efforts to spread bespoke malware using PDFs as lure materials. Google experts discovered and stopped these attempts by adding all known domains and hashes to Safe Browsing blocklists.
In November 2022, TAG observed that COLDRIVER was sending its targets malicious PDF documents from their fraudulent accounts. Threat actors asked for the recipient's feedback on fresh opinion pieces or other kinds of publications that they were hoping to publish using the lure materials. The victims see an encrypted text when they view the PDF.
In case the targets fail to read the content, following which they contact the threat actors, they receive a link from the cyberspies to a decryption tool located on the threat actors' website. After downloading and running the tool, a backdoor—tracking as SPICA—is installed and a bogus document appears.
“Once executed, SPICA decodes an embedded PDF, writes it to disk, and opens it as a decoy for the user. In the background, it establishes persistence and starts the main C2 loop, waiting for commands to execute,” reads TAG’s analysis.
Spica is a Rust backdoor that uses JSON over websockets for C2. Spica supports multiple capabilities, such as:
An obfuscated PowerShell command that generates a scheduled activity called CalendarChecker is how the infection stays persistent.
The Russian APT has reportedly been using SPICA since at least November 2022, while the researchers have only observed its use since early September 2023.
The Threat Analysis Group (TAG) at Google has discovered Heliconia, a cyberattack framework designed to exploit zero-day and n-day security flaws in Chrome, Firefox, and Microsoft Defender. It is likely linked to Variston IT, a gray-market spyware broker, demonstrating how this shadowy sector is thriving. The Heliconia threat is made up of three modules:
Charming Kitten, a state-sponsored Iranian hacking group is using a new tool to download emails from targeted Yahoo, Microsoft Outlook, and Gmail accounts.
The utility is called Hyperscraper and like many hackers' operations and tools, it is in no way sophisticated. But its lack of sophistication is balanced by effectiveness, letting the threat actors hack a target's e-mail inbox without leaving any traces of the intrusion.
In a recent technical report, experts from Google's TAG (Threat Analyst Group), shared information about Hyperscraper's capabilities and said that it is under active development.
Google TAG links the tool to Charming Kitten, a threat group based in Iran that is also called APT35 and Phosphorus, and said the earliest samples were found from 2020.
The researchers discovered Hyperscraper in December 2021 and analysed it using a Gmail test account. Hyperscraper isn't a hacking tool but an instrument that lets threat actors steal email data and store it on their devices after getting into the victim's email account.
Getting the login credentials for the victim's inbox is done in an earlier stage of the attack, generally by stealing them.
Hyperscraper has an embedded browser and fools the user agent to imitate an outdated web browser, it provides a basic HTML view of the Gmail account's details.
Google TAG says that once logged in, the tool changes the account’s language settings to English and iterates through the contents of the mailbox, individually downloading messages as .eml files and marking them unread.
When the extraction is completed, Hyperscraper changes the language settings to English and moves through the contents of the email inbox, downloading messages individually as .eml files extension and marking them unread.
Google TAG experts said earlier variants of Charming Kitten's utility could get data from 'Google Take-out,' a feature that lets users shift data from their Google account for making a backup or using it with a third-party service.
While running, Hyperscraper works via the C2 (Command and Control) server, waiting for a 'go' sign to start the exfiltration process.
The operator can change the tool with important parameters (identifier string, operation mode, path to valid cookie file) via command-line arguments or using a minimal user interface.
If the path to the cookie file isn't given over the command line, the operator has the option to drag and drop it into a new form. After the cookie has been parsed successfully and embedded in the local cache of the web browser,
Hyperscraper makes a 'Download' folder where it throws the contents of the target inbox. The victims of Charming Kitten who were attacked with Hyperscraper have been informed about the government-backed attacks.
"Users that received such a warning are encouraged to bolster their defenses against more sophisticated attackers by enrolling in Google’s Advanced Protection Program (AAP) and by activating the Enhanced Safe Browsing feature, both provided an added security layer to existing protection mechanisms," said Bleeping Computers.