Rewterz Threat Alert – COLDRIVER APT’s Credential Theft and Detection Evading Tactics Exposed by Microsoft – Active IOCs

Severity

High

Analysis Summary

A Russian-linked cybercrime group dubbed COLDRIVER has been involved in various credential theft campaigns against organizations that are of strategic interest to Russia while continuing to improve its stealth capabilities. Microsoft’s security team has been tracking these malicious activities as Star Blizzard (aka SEABORGIUM). Its other names are BlueCharlie (or TAG-53), Blue Callisto, Calisto (also called Callisto), and TA446.

Microsoft’s report, “Star Blizzard has improved their detection evasion capabilities since 2022 while remaining focused on email credential theft against the same targets.”

The threat group especially targets entities that are involved in defense, international affairs, academia, information security companies, logistics support to Ukraine, and others that align with Russian state interests. Star Blizzard has been linked to Russia’s Federal Security Service (FSB) and is known to register domains that pretend to be the login pages of their targeted companies. It was first discovered in 2017.

In August of this year, it was revealed that 94 new domains were part of the threat group’s attack infrastructure and used keywords related to cryptocurrency and information technology. The adversary has been using server-side scripts to prevent automated scanning of actor-controlled infrastructure since April 2023. The server-side JavaScript code is made to see if the browser is running any plugins in case of any automation tool like PhantomJS and Selenium, and then finally it transfers the results to the server as an HTTP POST request.

The redirecting server then assesses the data that is harvested from the browser to decide whether to continue the browser redirection. The browser then gets a response from the redirection server that sends it to the next stage of the attack, which is either an hCaptcha or the Evilginx server. Star Blizzard has also started using email marketing services like MailerLite and HubSpot in its campaigns as a starting point of the redirection chain.

The attacker has also been observed using a domain name service (DNS) provider for resolving their registered domain infrastructure, hosting files on Proton Drive, and sending PDF lures with password protection to evade email security processes. The threat actor is actively monitoring the public reports about its tactics and techniques as well. Despite all this, Star Blizzard keeps its focus on email credential theft and targeting cloud-based email providers that host email accounts.

The development comes as the U.K. announced that Star Bizzard has made many unsuccessful attempts to target high-profile individuals and organizations with their cyber operations to interfere in U.K. political processes. The government also ended up sanctioning two members of the APT group for being involved in carrying out spear-phishing campaigns, the activity that resulted in the exfiltration of sensitive data and unauthorized access to compromised systems.

The threat group shows a pattern of impersonating contact’s email accounts to trick the victims into trusting their malicious emails as well as creating malicious domains resembling legitimate organizations. The actors conduct reconnaissance of their targets before initiating the spear-phishing attacks by approaching the targeted users using personal email addresses in an attempt to bypass security controls on corporate networks.

Once the victim is redirected to the fake sign-in page of a legitimate service and has entered their credentials, the actors gain access to the victim’s emails and attachments, as well as their contacts list which are later used for more phishing activity using the compromised accounts. These cybercriminals used crafted emails to look like they were sent from email providers, suggesting to the targeted user that they had violated terms of service as a way to trick the victims into giving their email account credentials to fake login prompts.

Impact

• Identity Theft
• Credential Theft
• Sensitive Information Theft

Indicators of Compromise

Domain Name

• centralitdef.com
• rootgatewayshome.com
• directstoragepro.com
• infocryptoweb.com
• cloudwebstorage.com
• cryptdatahub.com
• datainfosecure.com
• servershieldme.com
• guardittech.com

Remediation

• Block all threat indicators at your respective controls.
• Search for Indicators of compromise (IOCs) in your environment utilizing your respective security controls.
• Do not download documents attached in emails from unknown sources and strictly refrain from enabling macros when the source isn’t reliable.
• Ensure that all systems, software, and applications are up-to-date with the latest security patches. Regularly check for and apply updates to eliminate known vulnerabilities that attackers could exploit.
• Educate employees about phishing emails, social engineering tactics, and safe online behavior. Effective training can reduce the likelihood of users inadvertently initiating an attack.
• Regularly back up critical data and systems to offline or isolated storage. Test the backup restoration process to ensure that it is effective in case of an attack.
• Deploy strong endpoint protection solutions that include advanced threat detection, behavior monitoring, and real-time protection against malware and ransomware.
• Employ robust email filtering and anti-phishing solutions to detect and prevent malicious attachments and links from reaching user inboxes.
• Conduct regular penetration testing and security assessments to identify vulnerabilities and weaknesses in your network and systems. Address any findings promptly.
• Thoroughly assess third-party vendors and software before integrating them into your environment. Ensure they have strong security practices and adhere to cybersecurity standards.