Spica

Malware updated 6 months ago (2024-05-23T16:17:57.978Z)

Download STIX

Preview STIX

Spica is a custom malware developed and utilized by the threat group known as Coldriver. The backdoor software, Spica, was first identified by Google's Threat Analysis Group (TAG), which has been tracking its use since as early as September of the previous year. The malware appears to be used in highly targeted attacks and is likely still under active development. It provides persistent access to a victim's machine, enabling the execution of commands, theft of browser cookies, and exfiltration of documents. Despite law enforcement action, Cold River's activity has remained consistent over the years. The functionality of Spica allows attackers to execute commands on targeted systems, upload and download files, and gather system and file information. A particular command named "telegram" is embedded within Spica, although its exact function remains unclear. Google believes that multiple versions of the Spica backdoor exist, each featuring a different embedded decoy document to match the lure document sent to targets. The earliest use of this backdoor by Coldriver dates back to November 2022. Google’s TAG has created a YARA rule to assist in identifying the Spica backdoor. The rule includes various strings and conditions related to the malware, such as "os_win.c:%d: (%lu) %s(%s) – %s", "winWrite1", "DNS resolution panicked", and "struct Dox". These identifiers can help in detecting the presence of Spica in a system. Notably, one of the strings is “Card Holder: Bull Gayts”, suggesting a possible attempt at humor or misdirection by the malware's creators.

Description last updated: 2024-05-23T15:18:07.887Z

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Aliases We are not currently tracking any aliases

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Decoy

Backdoor

Malware

Apt

Google

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Malware

To see the evidence that has resulted in these malware associations, create a free account

Alias Description	Association Type	Votes
The malware Proton-decrypter.exe is associated with Spica.	Unspecified	2

Associated Threat Actors

To see the evidence that has resulted in these threatActor associations, create a free account

Alias Description	Association Type	Votes
The COLDRIVER Threat Actor is associated with Spica. Coldriver, also known as Star Blizzard, Callisto, and Seaborgium, is a Russia-based cyber-espionage group believed to be backed by the Federal Security Service (FSB). This threat actor has been active since at least 2015, targeting government officials, military personnel, journalists, think tanks,	Unspecified	5

Source Document References

Information about the Spica Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
Flashpoint	6 months ago	Evolving Tactics: How Russian APT Groups Are Shaping Cyber Threats in 2024
CERT-EU	10 months ago	Google says Russian espionage crew behind new malware campaign \| #hacking \| #cybersecurity \| #infosec \| #comptia \| #pentest \| #hacker \| National Cyber Security Consulting
CERT-EU	10 months ago	Prolific Russian hacking unit using custom backdoor for the first time
BankInfoSecurity	10 months ago	Google: Russian FSB Hacking Group Turns to Malware
Malwarebytes	10 months ago	Coldriver threat group targets high-ranking officials to obtain credentials \| Malwarebytes
CERT-EU	10 months ago	ColdRiver threat group targeting critical infrastructure with backdoor attacks
CERT-EU	10 months ago	Russian hacker Coldriver extends tactics to include custom malware \| #hacking \| #cybersecurity \| #infosec \| #comptia \| #pentest \| #hacker \| National Cyber Security Consulting
InfoSecurity-magazine	10 months ago	Russian Coldriver Hackers Deploy Malware to Target Western Officials
CERT-EU	10 months ago	What is SPICA backdoor malware used by Russian hackers on Western officials? \| Technology News \| #hacking \| #cybersecurity \| #infosec \| #comptia \| #pentest \| #hacker \| National Cyber Security Consulting
CERT-EU	10 months ago	Cyber Security Week in Review: January 19, 2024
CERT-EU	10 months ago	Google warns against new malware campaign spreading through PDFs \| #hacking \| #cybersecurity \| #infosec \| #comptia \| #pentest \| #hacker \| National Cyber Security Consulting
CERT-EU	10 months ago	Google: Russian state hackers deploying malware in espionage attacks around Europe
CERT-EU	10 months ago	Russian FSB Hacking Group Turns to Malware \| #hacking \| #cybersecurity \| #infosec \| #comptia \| #pentest \| #hacker \| National Cyber Security Consulting
CERT-EU	10 months ago	Russian Hackers Are Using PDF Tricks and Custom Malware to Target NATO \| #hacking \| #cybersecurity \| #infosec \| #comptia \| #pentest \| #hacker \| National Cyber Security Consulting
DARKReading	10 months ago	Google: Russia's ColdRiver APT Unleashes Custom 'Spica' Malware
CERT-EU	10 months ago	Google disrupts malware campaign run by Russia-linked hacking group \| #hacking \| #cybersecurity \| #infosec \| #comptia \| #pentest \| #hacker \| National Cyber Security Consulting
CERT-EU	10 months ago	Google: Russian FSB hackers deploy new Spica backdoor malware
CERT-EU	10 months ago	Russian COLDRIVER Hackers Expand Beyond Phishing with Custom Malware
CERT-EU	10 months ago	Russian threat group spreading backdoor through phishing, says Google \| IT World Canada News
CERT-EU	10 months ago	Russian APT Known for Phishing Attacks Is Also Developing Malware, Google Warns \| Antivirus and Security news