Google says Cold River, a hacking group backed by the Russian govt. Is trying to hack you via PDF.
If you recently received an email with an encrypted PDF, you probably are a target as well. Google recently released a blog post detailing how Cold River is sending emails containing encrypted PDFs. These emails are sent from names/accounts that the victims may find relatable. Maybe an expert in your field, a big publishing house or other such proxies are used which the victims may find trustworthy. The victims then revert back asking for ways to unlock the encrypted PDF.
This is when a malware, so far known as Proton-decrypter.exe is sent. When launched, it does display a document but in the background the victim’s systems get hacked.
Once the malware is deployed, it can do a number of things, including:
- Uploading/downloading files
- Extracting cookies from Chrome, FireFox, Edge and Opera
- It can also execute shell commands
- Listing filesystem contents etc.
An unknown command termed as “Telegram” has been found as well, although its functions aren’t clear so far.
The exact number of victims isn’t known or publicly published yet. However, the targets are believed to be high profile individuals. These may be military personnel, NGO workers, NATO officials and their allies.
The backdoor merged with the fake PDF decryptor is known as SPICA and is the earliest backdoor that Google has been able to associate with Cold River. It’s a Rust program that uses JSON over Websockets for command and control. SPICA can be traced back to at least Nov. 2022 as per Google TAG. The earliest “observed” use of SPICA however was in September 2023.
In response to the attack, Google has issued a “Govt.-backed attack” alerts to targeted individuals. Known domains and files have been blacklisted to prevent future exploitation as well.
And yes, the group is backed by the Russian govt. as was proven when a traceback by the Five-Eyes group led them to “Center 18” of the Russian FSB.
Previously, Microsoft disabled accounts belonging to Cold River. These emails were used v
The more problematic news comes from Microsoft which recently said that the group has improved its evasion techniques. This means the group probably wouldn’t slow down in the near future and more of these attacks are to be anticipated.
You’re probably not a target of these hacks, however, we’d recommend you follow a few security precautions anyways and always. For starters, do not download software you don’t fully trust. While viruses can also be spread via almost any file-type, “executable files” are the most common way it happens. Also, use a VPN to conceal your IP address, activity and identity.