COLDRIVER – SPICA malware

APT group Coldriver uses spearphishing to deliver malware via PDFs as lure documents.

Name:
COLDRIVER – SPICA malware

TTP:
T1583.001 Acquire Infrastructure: Domains, T1071.001 Application Layer Protocol: Web Protocols, T1584.001 Compromise Infrastructure: Domains, T1573.001 Encrypted Channel: Symmetric Cryptography, T1041 Exfiltration Over C2 Channel, T1190 Exploit Public-Facing Application, T1589.002 Gather Victim Identity Information: Email Addresses, T1564.001 Hide Artifacts: Hidden Files and Directories, T1027 Obfuscated Files or Information, T1566.001 Phishing: Spearphishing Attachment, T1566.002 Phishing: Spearphishing Link, T1053.005 Scheduled Task/Job: Scheduled Task, T1204.002 User Execution: Malicious File

Hypothesis:

APT group Coldriver uses spearphishing to deliver malware via PDFs as lure documents.

Campaign Type:
Intel Driven

Data Sources:

  • Process Monitoring    
     
  • Process Command-Line Parameters    
     
  • Windows Registry    
     
  • Loaded DLLs    
     
  • File Monitoring    
     
  • Network Protocol Analysis    
     
  • Windows Event Logs

Tools:

Any emulating SPICA malware

Scenario:

  1. Initial Access: Attacker sends targets benign PDF documents from impersonation accounts.
     
  2. Execution: The PDF documents contain encrypted text and a link to a decryption utility.
     
  3. Defense Evasion: The decryption utility is actually a backdoor that gives the attacker access to the victim’s machine.
     
  4. Discovery: The backdoor collects system information.    
     
  5. Credential Access: The backdoor steals cookies and Telegram credentials.    
     
  6. Collection: The backdoor enumerates and exfiltrates documents.    
     
  7. Command and Control: The backdoor uses websockets for command and control.    
     
  8. Exfiltration: The backdoor uploads and downloads files.    
     
  9. Impact: The attacker gains access to sensitive information and systems.

Hunting Strategy:

  1. Analyze process monitoring data for the execution of the decryption utility.    
     
  2. Correlate this event with other events, such as network connections to the attacker’s command and control server.    
     
  3. Identify any patterns of suspicious activity, such as the exfiltration of data.    
     
  4. Investigate any outliers or suspicious events.    
     
  5. Validate potential threats by analyzing the attacker’s tools and infrastructure.    
     
  6. Remediate the threat by isolating the compromised machines and removing the attacker’s access.    
     
  7. Report your findings to the appropriate stakeholders.

False Positive Consideration:

  • The decryption utility may be detected as a legitimate program if it is signed with a valid certificate.    
     
  • The attacker’s command and control server may be hosted on a legitimate domain.    
     
  • The exfiltration of data may be mistaken for normal network traffic.

Recommendation:

  • Implement application control to prevent the execution of unauthorized programs.   
     
  • Monitor network traffic for connections to known malicious domains.    
     
  • Educate users about the dangers of phishing attacks.

D3 Diagram:

Leave a Reply