Malware News Google: Russian FSB hackers deploy new Spica backdoor malware

Gandalf_The_Grey

Level 83
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 24, 2016
7,232
Google says the ColdRiver Russian-backed hacking group is pushing previously unknown backdoor malware using payloads masquerading as a PDF decryption tool.

The attackers send PDF documents that seem to be encrypted via phishing emails impersonating individuals affiliated with their targets (a tactic first observed in November 2022).

When the recipients reply that they can't read the 'encrypted' documents, they're sent a link to download what looks like a PDF decryptor executable (named Proton-decrypter.exe) to view the contents of the lure documents.

"COLDRIVER presents these documents as a new op-ed or other type of article that the impersonation account is looking to publish, asking for feedback from the target. When the user opens the benign PDF, the text appears encrypted," Google TAG said.

However, even though this fake decryption software will display a decoy PDF document, it will backdoor the victims' devices using a malware strain dubbed Spica by security researchers with Google's Threat Analysis Group (TAG), who spotted the attacks.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top