Russia’s Coldriver Ramps Up Malware Development After LostKeys Exposure
Google threat researchers in May disclosed LostKeys, a malware used by the Russia state-sponsored cyber-espionage group Coldriver, which has a history of targeting non-governmental organizations (NGOs), policy groups, and dissidents and stealing credentials and files.
That was the last that the Google Threat Intelligence Group (GTIG) saw of LostKeys. However, five days ago, Coldriver – also known as Star Blizzard, Callisto, and UNC4057 – launched three new malware families that the malicious group is evolving quickly and using more aggressively than any other previous threats.
Coldriver’s latest shift in operations is the latest example of how quickly bad actors can adapt their malware and the sophisticated ways they’ve developed to evade detection. It also falls in line with what Coldriver has done in the past, ditching malware when detected and publicized and running out new campaigns.
“The new malware … has undergone multiple iterations since discovery, indicating a rapidly increased development and operations tempo from COLDRIVER,” GTIG researcher Wesley Shields wrote in a report his week. “It is a collection of related malware families connected via a delivery chain.”
Coldriver, believed to be an arm of Russia’s Federal Security Service (FSB), is known for targeting non-governmental organizations (NGOs), dissidents, military and government organizations, and think tanks in the United States, the UK, NATO countries, and Ukraine.
The New ROBOTS
The malware families – named NOROBOT, YESROBOT, and MAYBEROBOT – were created to not only steal information from high-profile targets but also to make it even more difficult than past malware to detect and defend against.
First out of the gate was NOROBOT, which is delivered via a fake CAPTCHA page, a lure technique that was used with LostKeys but differs by having the user execute the malicious DLL with rundll32 – a legitimate process in Windows – rather than PowerShell.
An early version of NOROBOT led to YESROBOT, which, according to Shield,s was a cumbersome backdoor written in Python. Coldriver quickly ditched YESROBOT for MAYBEROBOT, which he wrote was a more flexible and extensible PowerShell backdoor. The development schedule of the malware was as much about keeping the families hidden, as much as improving their performance.
‘Constant Evolution’
“NOROBOT and its preceding infection chain have been subject to constant evolution – initially simplified to increase chances of successful deployment, before re-introducing complexity by splitting cryptography keys,” Shields wrote. “The shift back to more complex delivery chains increases the difficulty of tracking their campaigns. This constant development highlights the group’s efforts to evade detection systems for their delivery mechanism for continued intelligence collection against high-value targets.”
He added that the infection chain includes three components that are delivered by a new variant of the ColdCopy ClickFix lure that was seen deploying LostKeys. ColdCopy is used to lure the users to download and execute the DLL running rundll32 and disguising itself as a CAPTCHA to ensure the user is not a robot.
NOROBOT is the same malware that researchers with Zscaler’s ThreatLabz unit wrote about last year and identified as BAITSWITCH, which they also attributed to Coldriver, and both they and GTIG noted that it has been under constant development through September. The earlier version the malware used cryptography that split the key across multiple components and needed to be recombined in a particular way to decrypt the final payload.
“This was likely done to make it more difficult to reconstruct the infection chain because if one of the downloaded components was missing the final payload would not decrypt properly,” Shields wrote, adding that this version “included fetching and extracting a full Python 3.8 installation, which is a noisy artifact that is likely to raise suspicions.”
From YESROBOT to MAYBEROBOT
GTIG only saw two versions of YESROBOT in May before Coldriver shifted to MAYBEROBOT, another backdoor. Given this, it’s likely that YESROBOT was used as a stopgap measure after Google published its report about LostKeys.
From June to September, GTIG researchers saw changes to NOROBOT and the execution chain, indicating that Coldriver was accelerating the development tempo and making NOROBOT variants increasingly simpler. This was done in what Shields called Coldriver’s “persistent effort to evade detection systems while ensuring continued intelligence collection against high-value targets. However, by simplifying the NOROBOT downloader, COLDRIVER inadvertently made it easier for GTIG to track their activity.”
MAYBEROBOT remains the group’s preferred backdoor.
Malware Rather Than Phishing
GTIG also said that it’s why Coldriver opts to develop and deploy malware now, rather than phishing campaigns it’s run in the past to steal credentials. That said, the group has spent a lot of development effort to build multiple variants and deploy the malware to specific targets.
“One hypothesis is that COLDRIVER attempts to deploy NOROBOT and MAYBEROBOT on significant targets which they may have previously compromised via phishing and already stolen emails and contacts from, and are now looking to acquire additional intelligence value from information on their devices directly,” Shields wrote.
