COLDRIVER黑客组织：钓鱼攻击模式更新

The Russia-linked threat actor known as COLDRIVER has been observed evolving its tradecraft to go beyond credential harvesting to deliver its first-ever custom malware written in the Rust programming language.

据谷歌威胁分析组（TAG）分享最新活动详情称，已观察到与俄罗斯有关的威胁行为者COLDRIVER不断改进其技术，超越了收集凭据的行为，推出了首个使用Rust编程语言编写的自定义恶意软件。

Google's Threat Analysis Group (TAG), which shared details of the latest activity, said the attack chains leverage PDFs as decoy documents to trigger the infection sequence. The lures are sent from impersonation accounts.

谷歌的威胁分析组（TAG）分享了最新活动的细节，表示这些攻击链利用PDF文档作为诱饵，触发感染序列。这些诱饵是从冒充账户发送的。

COLDRIVER, also known by the names Blue Callisto, BlueCharlie (or TAG-53), Calisto (alternately spelled Callisto), Gossamer Bear, Star Blizzard (formerly SEABORGIUM), TA446, and UNC4057, is known to be active since 2019, targeting a wide range of sectors.

COLDRIVER，也被称为Blue Callisto，BlueCharlie（或TAG-53），Calisto（也被拼写为Callisto），Gossamer Bear，Star Blizzard（前身是SEABORGIUM），TA446和UNC4057，据悉自2019年以来一直活跃，瞄准广泛的领域。

This includes academia, defense, governmental organizations, NGOs, think tanks, political outfits, and, recently, defense-industrial targets and energy facilities.

这包括学术界、国防、政府组织、非政府组织、智库、政治组织，最近还瞄准国防工业目标和能源设施。

"Targets in the U.K. and U.S. appear to have been most affected by Star Blizzard activity, however activity has also been observed against targets in other NATO countries, and countries neighboring Russia," the U.S. government disclosed last month.

美国政府上个月披露称，“英国和美国的目标似乎受到Star Blizzard活动影响最大，但也观察到其他北约国家和俄罗斯邻国的目标受到了攻击。”

Spear-phishing campaigns mounted by the group are designed to engage and build trust with the prospective victims with the ultimate goal of sharing bogus sign-in pages in order to harvest their credentials and gain access to the accounts.

该组织发起的矛头钓鱼攻击旨在与潜在受害者接触、建立信任，最终目的是分享虚假的登录页面，以窃取他们的凭据并获取对帐户的访问权限。

Microsoft, in an analysis of the COLDRIVER's tactics, called out its use of server-side scripts to prevent automated scanning of the actor-controlled infrastructure and determine targets of interest, before redirecting them to the phishing landing pages.

微软在分析COLDRIVER的策略时指出，该组织使用服务器端脚本阻止对其所控制的基础设施进行自动扫描，并确定感兴趣的目标，然后将其重定向到钓鱼登录页面。

The latest findings from Google TAG show that the threat actor has been using benign PDF documents as a starting point as far back as November 2022 to entice the targets into opening the files.

谷歌TAG的最新发现显示，这个威胁行为者自2022年11月以来一直在使用良性的PDF文档作为起点，以诱使目标打开文件。

"COLDRIVER presents these documents as a new op-ed or other type of article that the impersonation account is looking to publish, asking for feedback from the target," the tech giant said. "When the user opens the benign PDF, the text appears encrypted."

科技巨头表示：“COLDRIVER将这些文档呈现为一篇新的专栏评论或其他类型的文章，冒充账户要求目标提供反馈。当用户打开无害的PDF时，文本会呈现为加密状态。”

In the event the recipient responds to the message stating they cannot read the document, the threat actor responds with a link to a purported decryption tool ("Proton-decrypter.exe") hosted on a cloud storage service.

如果接收者回复称无法阅读文档，威胁行为者会回复一个链接到托管在云存储服务上的所谓解密工具（"Proton-decrypter.exe"）。

The choice of the name "Proton-decrypter.exe" is notable because Microsoft had previously revealed that the adversary predominantly uses Proton Drive to send the PDF lures through the phishing messages.

之所以选择名称"Proton-decrypter.exe"值得注意，是因为微软此前曝光，对手方主要使用Proton Drive通过钓鱼消息发送PDF诱饵。

In reality, the decryptor is a backdoor named SPICA that grants COLDRIVER covert access to the machine, while simultaneously displaying a decoy document to keep up the ruse.

实际上，这个解密器是一个名为SPICA的后门，可以为COLDRIVER提供秘密机器访问权限，同时显示诱饵文件以保持隐蔽。

Prior findings from WithSecure (formerly F-Secure) have revealed the threat actor's use of a lightweight backdoor called Scout, a malware tool from the HackingTeam Remote Control System (RCS) Galileo hacking platform, as part of phishing campaigns observed in early 2016.

WithSecure（前身为F-Secure）的之前发现显示，该威胁行为者在2016年初的钓鱼活动中使用了一个轻量级后门工具Scout，这是HackingTeam远程控制系统（RCS）Galileo黑客平台的一部分。

Scout is "intended to be used as an initial reconnaissance tool to gather basic system information and screenshots from a compromised computer, as well as enable the installation of additional malware," the Finnish cybersecurity company noted at the time.

芬兰网络安全公司指出，Scout被"用于作为初始侦察工具，从受感染的计算机中收集基本系统信息和屏幕截图，并且启用安装附加恶意软件。"

SPICA, which is the first custom malware developed and used by COLDRIVER, uses JSON over WebSockets for command-and-control (C2), facilitating the execution of arbitrary shell commands, theft of cookies from web browsers, uploading and downloading files, and enumerating and exfiltrating files. Persistence is achieved by means of a scheduled task.

SPICA是由COLDRIVER开发和使用的首个自定义恶意软件，使用JSON over WebSockets进行C2命令和控制（C2），便于执行任意shell命令，从网络浏览器中窃取Cookie，上传和下载文件，并且枚举和获取文件。通过定时任务实现持久化。

"Once executed, SPICA decodes an embedded PDF, writes it to disk, and opens it as a decoy for the user," Google TAG said. "In the background, it establishes persistence and starts the main C2 loop, waiting for commands to execute."

谷歌TAG表示：“一旦执行，SPICA解码嵌入式PDF，写入磁盘并打开它作为用户的诱饵。在后台，它建立了持久性并启动了主要的C2循环，等待执行命令。”

There is evidence to suggest that the nation-state actor's use of the implant goes back to November 2022, with the cybersecurity arm multiple variants of the "encrypted" PDF lure, indicating that there could be different versions of SPICA to to match the lure document sent to targets.

有证据表明，这个国家级行为者的植入物使用可以追溯到2022年11月，该公司的网络安全部门还发现了多个"加密"PDF诱饵的变体，这表明可能有不同版本的SPICA来匹配发送给目标的诱饵文件。

As part of its efforts to disrupt the campaign and prevent further exploitation, Google TAG said it added all known websites, domains, and files associated with the hacking crew to Safe Browsing blocklists.

为了阻止此类活动并防止进一步的侵害，谷歌TAG称，已将所有已知的网站、域名和与这个黑客组织有关的文件添加到Safe Browsing阻止列表中。

The development comes over a month after the U.K. and the U.S. governments sanctioned two Russian members of COLDRIVER, Ruslan Aleksandrovich Peretyatko and Andrey Stanislavovich Korinets, for their involvement in conducting the spear-phishing operations.

一个多月后，英国和美国政府对COLDRIVER的两名俄罗斯成员Ruslan Aleksandrovich Peretyatko和Andrey Stanislavovich Korinets实施了制裁，因其参与进行矛头钓鱼行动。

French cybersecurity firm Sekoia has since publicized links between Korinets and known infrastructure used by the group, which comprises dozens of phishing domains and multiple servers.

法国网络安全公司Sekoia随后公布了Korinets与该组织使用的多个钓鱼域名和多个服务器的联系。

"Calisto contributes to Russian intelligence efforts to support Moscow's strategic interests," the company said. "It seems that domain registration was one of [Korinets'] main skills, plausibly used by Russian intelligence, either directly or through a contractor relationship."

法国网络安全公司表示：“Calisto有助于支持莫斯科的战略利益。看起来域名注册是[Korinets]的主要技能之一，这可能被俄罗斯情报直接或通过承包商关系使用。"

原文始发于微信公众号（知机安全）：COLDRIVER黑客组织：钓鱼攻击模式更新