What is SPICA backdoor malware used by Russian hackers on Western officials? | Technology News | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #hacker


Google’s Threat Analysis Group (TAG) on Thursday said it has analysed a series of threats from the Russian hacking group COLDRIVER conducting credential phishing activities against high-profile NGOs, former intelligence and military officers and NATO governments.

“For years, TAG has been countering and reporting on this group’s efforts to conduct espionage aligned with the interests of the Russian government. To add to the community’s understanding of COLDRIVER activity, we’re shining light on their extended capabilities, which now includes the use of malware,” wrote Wesley Shields of TAG in a Google blog.

The group conducts campaigns against Ukraine, NATO countries, academic institutions and NGOs. To gain the trust of the targets, they often impersonate experts in a particular field or people who are somehow affiliated to the target.

TAG says it has observed COLDRIVER sending innocent-looking PDF documents from impersonation accounts. The hacking group presents these documents as an op-ed or other type of article that the impersonation account is trying to publish, looking for feedback. When users open the PDG, the text will appear encrypted.

If the target in question responds by saying they cannot read the document, the impersonation account will respond with a link claiming it is a “decryption” utility for the target to use. This decryption utility will in fact be a backdoor called SPICA, which will give access to the victim’s machine.

Festive offer

What is the SPICA backdoor malware?

SPICA is a customer malware tool written in Rust and it uses the websocket communication for commanding and controlling affected devices. It will allow the attackers to execute many commands on infected devices, including executing arbitrary shell commands, stealing cookies from Chrome, Firefox, Opera and Edge, uploading and downloading files, using the filesystem, exfiltrating documents and more.

Google says that it uses TAG results to improve the safety and security of its products. All the identified websites, domains and files are used in safe browsing to stop users from getting further exploited. The analysis froup also sends all targetted Gmail and Workspace users notifications if they are attacked and even encourages potential targets to used enhanced safe browsing.

© IE Online Media Services Pvt Ltd

First uploaded on: 19-01-2024 at 17:43 IST

——————————————————–


Click Here For The Original Story From This Source.

How can I help you?
National Cyber Security

FREE
VIEW