If you receive an encrypted PDF file and your correspondent then suggests that you download decryption software, for example titled “Proton-decrypter.exe”, beware! This is, according to Google’s Threat Analysis Group (TAG), one of the bad recipes of Russian computer spies from Coldriver.
According to the United Kingdom and the United States, these hackers, also known under the names Callisto Group or Star Blizzard, are in fact linked to one of the Russian intelligence services, the FSB. Last December, London denounced attempts at Russian interference targeting politicians, civil servants, journalists and NGOs.
Phishing specialists
According to Microsoft, these hackers – here identified under the name Seaborgium – are specialists in phishing. They attempt to gain the trust of their targets by stealing identities. After tricking victims into opening a PDF file or clicking on a link, attackers can steal their login credentials.
Google security experts also believe, in their latest publication, that this group of Russian hackers is in an active campaign against targets within civil society and against former officials of intelligence, defense or government of countries of NATO. They had already exposed the malicious activities of Coldriver almost two years ago.
Spica backdoor
Google has thus spotted the method of sending an encrypted PDF file aimed at downloading a malicious program. The allegedly encrypted PDF document was purported to be an editorial or article that the sender of the email wanted to publish, soliciting comment from its target. Downloading the decryption utility opened a backdoor for the victim.
This, called Spica, a program written in Rust, allows you to steal cookies, steal data or execute commands. Google experts estimate that this backdoor has been in use since at least November 2022. A few years earlier, they caught Coldriver using a program that leaked after the Italian company Hacking Team was hacked in July 2015.