When the consumer tries opening the PDF, the content material seems to be encrypted textual content. If the goal reaches out for decryption, he’s introduced with a hyperlink, normally hosted on a cloud storage website, to a “decryption” utility. The utility, together with displaying a decoy “decrypted” doc, is the SPICA backdoor in stealth.
Whereas Coldriver has used a malware earlier than, SPICA is the primary customized malware attributed to it. “In 2015 and 2016, TAG noticed Coldriver utilizing the Scout implant that was leaked through the Hacking Workforce incident of July 2015.”
SPICA is a multifaceted backdoor
TAG’s evaluation of SPICA binary revealed that it’s written in RUST, a low-level programming language used for constructing working programs, kernels, and machine drivers. The binary makes use of JavaScript Object Notation (JSON), a text-based information interchange format, over websockets for command and management (C2).
“As soon as executed, SPICA decodes an embedded PDF, writes it to disk, and opens it as a decoy for the consumer,” TAG added. “Within the background, it establishes persistence and begins the principle C2 loop, ready for instructions to execute.”
SPICA helps various instructions for various assaults which embody, arbitrary shell instructions, uploads and downloads, stealing cookies from Chrome, Firefox, Opera, and Edge, and enumerate paperwork and exfiltrating them in an archive. There’s additionally a “Telegram” command TAG seen however couldn’t additional analyze its particular performance.
SPICA establishes persistence by making a scheduled process named CalendarChecker, utilizing an obfuscated PowerShell command. For consumer consciousness, TAG has shared indicators of compromise (IOCs) which included hashes of noticed pdf paperwork, some SPICA situations, and noticed C2 area.
