COLDRIVER – UNC4057, Star Blizzard and Callisto

Subject: COLDRIVER – UNC4057, Star Blizzard and Callisto

Tactics: TA0009 Collection, TA0011 Command and Control, TA0002 Execution, TA0010 Exfiltration, TA0001 Initial Access, TA0003 Persistence

Technique: T1071.001 Application Layer Protocol: Web Protocols, T1005 Data from Local System, T1041 Exfiltration Over C2 Channel, T1566 Phishing, T1053 Scheduled Task/Job, T1053.005 Scheduled Task/Job: Scheduled Task, T1204 User Execution, T1204.002 User Execution: Malicious File

Procedure:

The attacker, impersonating experts or affiliates, sends a phishing link or document containing a link to a “decryption” utility. This utility is malware (SPICA backdoor) that gives the attacker access to the victim’s machine. The malware establishes persistence, communicates with a C2 server using JSON over WebSockets, and then collects and exfiltrates data.

 

Vulnerability: EAV0001 When adversaries interact with the environment or personas, they are vulnerable when they collect, observe, or manipulate system artifacts or information. Manipulated data may cause them to reveal behaviors, use additional or more advanced capabilities against the target, and/or impact their dwell time., EAV0002 When adversaries interact with the environment or personas, they are vulnerable to collecting, or in some way interacting with, manipulated or decoy data. In those cases the data may increase their tolerance for imperfections in the environment and improve the overall believability of the ruse.

Engagement Opportunity:

Deploy a decoy document with a similar “encrypted” text appearance. When the target attempts to “decrypt” the document, redirect them to a safe environment and gather intelligence on their methods.

Threat Actor: COLDRIVER (also known as UNC4057, Star Blizzard and Callisto), a Russian threat group

Threat Objective:

Espionage aligned with the interests of the Russian government

Deception Opportunity:

Create a honeypot with fake credentials and sensitive-looking documents to lure the attacker and gather information on their tools and techniques.

Sensor Data Placement: User-Mode

Observable Level: Core to Adversary-Brought Tool

Scoring Rationale:

• Sensor Data Placement: Application, User-Mode

• Observable Level: Core to Adversary-Brought Tool

• Scoring Rationale: The analytic relies on the detection of the SPICA backdoor, which is specific to the attacker’s toolkit. This makes it relatively easy to detect if the tool is known but also allows the attacker to evade detection by modifying the tool.

Link to Report: https://www.google.com/url?sa=E&source=gmail&q=https://www.google.com/url?sa=E%26source=gmail%26q=https://www.google.com/url?sa=E%26source=gmail%26q=https://blog.google/threat-analysis-group/google-tag-coldriver-russian-phishing-malware/

Link to Report II.:

Additional Comments:

The SPICA backdoor is written in Rust and uses JSON over websockets for command and control (C2). It supports various commands including stealing cookies, uploading and downloading files, enumerating documents, etc.

Possible elements: Deception for Insider Threat Detection, Deceptive User Account with Canary Tokens, Embedded Honeytokens, Honeyfile with Canary Token, Honeypot MS Exchange

MSG (Pseudocode):

# Malicious Sub-Graph Standard

# Node Format:
# [Node ID]: [Tactic] - [Technique] - [Procedure] ([Observable Level])

# Edge Format:
# [Source Node ID] --> [Destination Node ID] ([Exploited Vulnerability])

# COLDDRIVER Attack Graph

[1]: Initial Access - Spearphishing Attachment (T1566) - Send phishing email with a link to a malicious "decryption" utility (Core to Adversary-Brought Tool)
[2]: Execution - User Execution (T1204) - Malicious File (T1204.002) - User downloads and executes the "decryption" utility, which is actually the SPICA backdoor (Core to Adversary-Brought Tool)
[3]: Persistence - Scheduled Task/Job (T1053) - Scheduled Task (T1053.005) - SPICA establishes persistence via an obfuscated PowerShell command creating a scheduled task (Core to Some Implementations of (Sub-)Technique)
[4]: Command and Control - Application Layer Protocol (T1071) - WebSockets (T1071.001) - SPICA uses JSON over WebSockets for command and control (Core to Adversary-Brought Tool)
[5]: Collection - Data from Local System (T1005) - SPICA collects data such as cookies, files, and documents from the victim's machine (Core to Sub-Technique or Technique)
[6]: Exfiltration - Exfiltration Over C2 Channel (T1041) - SPICA exfiltrates collected data over the C2 channel (Core to Sub-Technique or Technique)

1 --> 2 (Lack of User Awareness)
2 --> 3 (Lack of System Monitoring)
3 --> 4 (Lack of Network Monitoring)
4 --> 5 (Unsecured Credentials)
5 --> 6 (Lack of Network Monitoring)

# Pseudocode Standard

# Function Format:
# function [Tactic]_[Technique]([Input]):
# [Procedure]
# return [Output]

# COLDDRIVER Pseudocode

function Initial_Access_Spearphishing_Attachment(target_email):
# Craft phishing email with a link to a malicious "decryption" utility
# Send email to target_email
return malicious_link

function Execution_User_Execution(malicious_link):
# User clicks on the malicious link and downloads the "decryption" utility
# User executes the "decryption" utility, which is actually the SPICA backdoor
return SPICA_backdoor

function Persistence_Scheduled_Task(SPICA_backdoor):
# SPICA backdoor executes an obfuscated PowerShell command
# The command creates a scheduled task to maintain persistence
return persistent_SPICA

function Command_and_Control_Application_Layer_Protocol(persistent_SPICA):
# SPICA establishes a connection to the C2 server using JSON over WebSockets
# SPICA receives commands from and sends data to the C2 server
return collected_data

function Collection_Data_from_Local_System(persistent_SPICA):
# SPICA executes commands to collect data such as cookies, files, and documents
return collected_data

function Exfiltration_Exfiltration_Over_C2_Channel(collected_data):
# SPICA sends the collected data to the C2 server over the established connection
return success