The russian hackers with ties to the Kremlin do not stop implementing new methods to perpetrate malware attacks. According to Google reportsthe hacking group identified as COLDRIVER is using encrypted PDF files to infect its targets in Ukraine and NATO countries.
According to the Californian firm’s threat analysis group, Russian hackers are targeting high-profile targets. Specifically, members of non-governmental organizations and academic institutions, and retired officers from the military and intelligence agencies.
In this case, the malware attack is carried out through a campaign phishing either identity fraud. In their actions, Russian hackers pose as experts or people linked to the field of experience of the target they wish to attack. To do this, they use previously stolen credentials and establish communication with the new victim.
Once this is achieved, the process to carry out the malware attack is quite simple. Hackers send a document to their targets, asking for a review or opinion on its contents. The file in question is a conventional PDF that does not raise any major surprises, although when trying to open it a warning appears that it is encrypted.
When the targets explain that they cannot open the file, the Russian hackers give them a link to download software dedicated to decrypting the document. As you can imagine, the program is actually a malicious application that tricks the victim by showing them a supposedly unencrypted version of the original document. While this is happening, in the background the attackers they explode a back door to gain control over the victim’s computer.
Russian hackers use encrypted PDFs as bait for malware attacks
Google explains that the malware used by Russian COLDRIVER hackers in their attacks has been identified as SPICA. This would be the first custom malicious software developed and deployed by the aforementioned group of hackers. Security experts indicate that attacks with this tool have been recorded since last September, but the exploited vulnerability dates back to at least 2022.
Once cybercriminals gain access to victims’ computers, they can execute multiple operations. From stealing session cookies from multiple web browsers (Chrome, Firefox, Edge and Opera), to uploading and downloading files to your storage drive. Added to this are other options such as executing arbitrary shell commands, analyzing and listing system files, and extracting documents to an external server.
To prevent these attacks from continuing to expand, Google has identified the websites and addresses used by Russian hackers to distribute the malware. All information has already been included in Chrome’s safe browsing mode, while potentially affected agencies have also been notified. Regardless, criminals are known to continually change their threat distribution methods.
This is not the first time Kremlin-linked hackers They put Ukraine and NATO in the spotlight. In 2023, they took advantage of the popular WinRAR file compressor to attack the Ukrainian government and irreversibly delete large amounts of sensitive information from its servers. While Microsoft confirmed in 2022 that Russian hackers attacked 40 countries allied with Ukraine in the war.