Infamous Russian cybercrime group Callisto is now using Malware SPICA, says TAG

TAG also known as Google’s Threat analyses Group found out that the well-known Russian cybercrime gang Callisto also named ColdRiver is now using malware attacks to reach its goals.

The group is known to target high-profile personnel and former high-profile government officials. ColdRiver came into the limelight in 2016 when researchers first noticed their activities across the board. These days Group has suddenly increased its activity due to the Ukraine and Russia war.

Formally Callisto was doing well in ordinated reconnaissance and spying-related attacks on high-ranked officers. The main form of attack that the group mastered was phishing attack to gain the trust of its target by faking identity. What makes the group more dangerous is its alleged ties with the FSB. FSB is Russia’s intelligence agency and is also said to be indulged in illegal spying-related activities.

In the recent activity, (2022) the group even attacked the US nuclear research facility and laboratory through Phishing and trying to gain access to the scientist credentials with portraying login pages.

Malware Attack Identification

The group is said to have up its antics through the use of backdoor-injected malware techniques infesting the hidden code into the system. With the use of a “benign” pdf format document. The malware is said to infest through an email link. First, the mail will be encrypted but with the link to decrypt the mail, the malware will be injected. Sample of ColdRiver lure PDF


Malware SPICA:

The Malware being used is known as SPICA. Malware is used to decode the files and infect the disk space. In this case, the Malware is being used to decode the PDF files of the user and to gain sensitive information.  Not only that the malware is being used to establish the link behind the veil by the hackers On the front the malware “decodes the embedded PDF, writes it to disk, and opens it as a decoy for the user,”  The link established during the attack is with the secondary server which is run by the hackers. This attack is being used on multiple fronts so there can be multiple backdoor passages to gain the connection.

Countermeasures by TAG:

TAG (Google’s Threat Analysis Group) has confirmed that they are using some countermeasures to deflect or halt the campaign from ColdRiver of malware SPICA.  Mainly widespread information about the campaign is an effective stance to counter this new tactic from the cybercrime group.

Other than that the TAG is also using the blocklist for domains. All the unknown domains and links will get blocked on the arrival by the list. The list is being updated with genuine domains only so that no sketchy domain can get access to the servers.