Cybersecurity experts at Google discovered the malware and released updates to block it.
Russian hackers send encrypted files to trick victims into installing malware. This conclusion was reached by Google experts who reported the problem on their official blog.
Google’s cyber security experts wrote on the company’s official blog that a group of Russian hackers called Coldriver, sponsored by the Kremlin, developed a new phishing tactic. Experts claim that this group is the same group that attacked 3 US nuclear research laboratories in 2023.
“Coldriver often uses accounts pretending to be experts in a particular field, such as cybersecurity. They then use this account to contact victims and convince them that their computers are at risk but they can help. Ultimately, the attackers send a document with instructions to install an antivirus with a malicious link It is claimed to contain it,” experts write.
Coldriver sends out PDF articles asking for feedback to trick people into installing malware. The text in this PDF file is specially encrypted. If the user falls into the trap, he tells the imaginary expert that he cannot read the text. It offers to post a link to a decryption utility, but in reality the “decryption utility” is a backdoor (a backdoor is a deliberately placed flaw in computer code that allows unauthorized access to data or remote control of a computer.).
Google named this backdoor Spica. Once installed, the malware can remotely execute commands, steal cookies from the user’s browser, download and upload files, and delete documents on the computer. Google says Spica was first used in September 2023. A total of 4 encrypted PDF decoys were discovered, but Google was only able to obtain one instance of Spica, which appeared in the form of a tool called “Proton-decrypter.exe”.
Important
Using this malware, Colddriver hackers wanted to steal credentials of users and groups affiliated with Ukraine, NATO, scientific institutions, and non-governmental organizations. In an effort to protect users, the company updated Google’s software to block the loading of domains associated with the Coldriver phishing campaign.
Google published the report a month after US authorities warned that the Coldriver group, also known as Star Blizzard, “continues to successfully use phishing attacks” to target targets in the UK.
The US Cybersecurity and Infrastructure Security Agency stated that “Star Blizzard has been targeting sectors such as academia, government institutions, non-governmental organizations, think tanks and policy makers since 2019” and continued: “Star Blizzard’s activities will continue until 2022 “It appears to have expanded further in . How U.S. Department of Energy facilities as well as military-industrial facilities have become targets.”
We previously reported that hackers attacked the Chrome browser and users’ bank accounts were at risk. Cybercriminals can steal users’ personal information, passwords and credit card numbers. Edge, Brave and Opera browsers are also at risk.
Source: Focus
Ashley Fitzgerald is an accomplished journalist in the field of technology. She currently works as a writer at 24 news breaker. With a deep understanding of the latest technology developments, Ashley’s writing provides readers with insightful analysis and unique perspectives on the industry.