On January 18, 2024, Google’s Threat Analysis Group (TAG) warned of an ongoing spear phishing campaign, led by pro-Russian group Coldriver. The cybercriminal group has ties to the FSB (Russian domestic intelligence) and is an expert in this phishing technique. The latter relies on stealing the identity of individuals trusted by the target, which implies a high degree of customization.
Launched in November 2023, the campaign is targeted at NGO members and civil society, as well as former heads of intelligence, defense, and government, in NATO countries. It involves sending, from email addresses belonging to individuals close to the target, perfectly harmless PDF files.
“Coldriver frames these files as a new article that the impersonated individual wishes to publish, asking for comments from the target. When the user opens the innocuous PDF, the content appears encrypted for pseudo-security reasons,” explains Google’s TAG. The cybercriminals then send their victim a supposed decryption tool called “Proton-decrypter.exe”.
The name insinuates a link to Protonmail, the renowned secure messaging service, used by several researchers, journalists, and dissidents. It aims to inspire trust in a target with proper digital hygiene. The decryptor contains a Rust-encoded backdoor, Spica, which makes it possible to steal cookies and data, and run commands on the infected device.
In December 2023, UK, and US governments-imposed sanctions on two Russian members of Coldriver, who are accused of taking part in the group’s spear phishing operations.