Spica

Malware updated 23 days ago (2024-11-29T13:44:14.917Z)
Download STIX
Preview STIX
Spica is a custom malware developed and utilized by the threat group known as Coldriver. The backdoor software, Spica, was first identified by Google's Threat Analysis Group (TAG), which has been tracking its use since as early as September of the previous year. The malware appears to be used in highly targeted attacks and is likely still under active development. It provides persistent access to a victim's machine, enabling the execution of commands, theft of browser cookies, and exfiltration of documents. Despite law enforcement action, Cold River's activity has remained consistent over the years. The functionality of Spica allows attackers to execute commands on targeted systems, upload and download files, and gather system and file information. A particular command named "telegram" is embedded within Spica, although its exact function remains unclear. Google believes that multiple versions of the Spica backdoor exist, each featuring a different embedded decoy document to match the lure document sent to targets. The earliest use of this backdoor by Coldriver dates back to November 2022. Google’s TAG has created a YARA rule to assist in identifying the Spica backdoor. The rule includes various strings and conditions related to the malware, such as "os_win.c:%d: (%lu) %s(%s) – %s", "winWrite1", "DNS resolution panicked", and "struct Dox". These identifiers can help in detecting the presence of Spica in a system. Notably, one of the strings is “Card Holder: Bull Gayts”, suggesting a possible attempt at humor or misdirection by the malware's creators.
Description last updated: 2024-05-23T15:18:07.887Z
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Aliases We are not currently tracking any aliases
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Decoy
Backdoor
Malware
Apt
Telegram
Google
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Associated Malware
To see the evidence that has resulted in these malware associations, create a free account
Alias DescriptionAssociation TypeVotes
The malware Proton-decrypter.exe is associated with Spica. Unspecified
2
Associated Threat Actors
To see the evidence that has resulted in these threatActor associations, create a free account
Alias DescriptionAssociation TypeVotes
The COLDRIVER Threat Actor is associated with Spica. Coldriver, also known as Star Blizzard, Callisto, and Seaborgium, is a Russia-based cyber-espionage group believed to be backed by the Federal Security Service (FSB). This threat actor has been active since at least 2015, targeting government officials, military personnel, journalists, think tanks, Unspecified
5
Source Document References
Information about the Spica Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
PreviewSource LinkCreatedAtTitle
Flashpoint
7 months ago
CERT-EU
a year ago
CERT-EU
a year ago
BankInfoSecurity
a year ago
Malwarebytes
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
InfoSecurity-magazine
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
DARKReading
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago