Priya PatelGoogle’s Threat Analysis Group (TAG) has discovered that Russian cyberspies linked to the Kremlin’s Federal Security Service (FSB) have developed a custom backdoor malware called SPICA. The group, known as COLDRIVER, has been active since at least 2019 and primarily targets academia, the military, government organizations, NGOs, think tanks, and politicians in the US, the UK, and other NATO countries. Since 2022, COLDRIVER has also increased its snooping activities against Ukraine’s military and defense targets, as well as those of other Eastern European nations.
SPICA is a backdoor written in Rust and uses JSON over websockets for command and control. Once executed on a victim’s device, it has various capabilities, including executing shell commands, stealing cookies from web browsers, uploading and downloading files, and snooping through and stealing documents. TAG has observed SPICA being used since September 2023, but believes that COLDRIVER has been using the backdoor since at least November 2022.
To deliver the malware, COLDRIVER relies on tactics such as researching targets on social media, creating fake profiles, and messaging their marks to build rapport. They also use web-based email accounts that impersonate someone the target knows or a well-known industry figure. The group mostly targets high-profile individuals and organizations in NGOs, former intelligence and military officials, defense, and NATO governments.
The threat hunters were only able to analyze one instance of the malware, but they believe there are multiple versions of SPICA, each using a different decoy PDF. Google TAG has published details about the backdoor, how the campaign works, and an extensive list of indicators of compromise.
