Microsoft Warns of COLDRIVER's Evolving Evasion and Credential-Stealing Tactics
8.12.23  Hacking  The Hacker News

The threat actor known as COLDRIVER has continued to engage in credential theft activities against entities that are of strategic interests to Russia while simultaneously improving its detection evasion capabilities.

The Microsoft Threat Intelligence team is tracking under the cluster as Star Blizzard (formerly SEABORGIUM). It's also called Blue Callisto, BlueCharlie (or TAG-53), Calisto (alternately spelled Callisto), and TA446.

The adversary "continues to prolifically target individuals and organizations involved in international affairs, defense, and logistics support to Ukraine, as well as academia, information security companies, and other entities aligning with Russian state interests," Redmond said.

Star Blizzard, linked to Russia's Federal Security Service (FSB), has a track record of setting up lookalike domains that impersonate the login pages of targeted companies. It's known to be active since at least 2017.

In August 2023, Recorded Future revealed 94 new domains that are part of the threat actor's attack infrastructure, most of which feature keywords related to information technology and cryptocurrency.

Microsoft said it observed the adversary leveraging server-side scripts to prevent automated scanning of the actor-controlled infrastructure starting April 2023, moving away from hCaptcha to determine targets of interest and redirecting the browsing session to the Evilginx server.

The server-side JavaScript code is designed to check if the browser has any plugins installed, if the page is being accessed by an automation tool like Selenium or PhantomJS, and transmit the results to the server in the form of a HTTP POST request.

"Following the POST request, the redirector server assesses the data collected from the browser and decides whether to allow continued browser redirection," Microsoft said.


"When a good verdict is reached, the browser receives a response from the redirection server, redirecting to the next stage of the chain, which is either an hCaptcha for the user to solve, or direct to the Evilginx server."

Also newly used by Star Blizzard are email marketing services like HubSpot and MailerLite to craft campaigns that serve as the starting point of the redirection chain that culminates at the Evilginx server hosting the credential harvesting page.

In addition, the threat actor has been observed using a domain name service (DNS) provider to resolve actor-registered domain infrastructure, sending password-protected PDF lures embedding the links to evade email security processes as well as host the files on Proton Drive.

That's not all. In a sign that the threat actor is actively keeping tabs on public reporting into its tactics and techniques, it has now upgraded its domain generation algorithm (DGA) to include a more randomized list of words when naming them.

Despite these changes, "Star Blizzard activities remain focused on email credential theft, predominantly targeting cloud-based email providers that host organizational and/or personal email accounts," Microsoft said.

"Star Blizzard remains constant in their use of pairs of dedicated VPSs to host actor-controlled infrastructure (redirector + Evilginx servers) used for spear-phishing activities, where each server usually hosts a separate actor registered domain."

U.K. and U.S. Sanction Two Members of Star Blizzard#
The development comes as the U.K. called out Star Blizzard for "sustained unsuccessful attempts to interfere in U.K. political processes" by targeting high-profile individuals and entities through cyber operations.

Besides linking Star Blizzard to Centre 18, a subordinate element within FSB, the U.K. government sanctioned two members of the hacking crew – Ruslan Aleksandrovich Peretyatko and Andrey Stanislavovich Korinets (aka Alexey Doguzhiev) – for their involvement in the spear-phishing campaigns.

The activity "resulted in unauthorized access and exfiltration of sensitive data, which was intended to undermine UK organizations and more broadly, the UK government," it said.

The Five Eyes intelligence alliance comprising Australia, Canada, New Zealand, the U.K., and the U.S. further highlighted the threat actor's pattern of impersonating known contacts' email accounts to appear trustworthy, creating fabricated social media profiles, and creating malicious domains that resemble legitimate organizations.

The spear-phishing attacks are preceded by a research and preparatory phase to conduct reconnaissance of their targets, before approaching them via their personal email addresses in a likely attempt to bypass security controls on corporate networks and build rapport in hopes of ultimately delivering links that mimic the sign-in page for a legitimate service.

"The sender address could be from any free email provider, but special attention should be paid to emails received from Proton account senders (@proton.me, @protonmail.com) as they are frequently used by Star Blizzard," Microsoft said.

The credentials entered by the targets on these pages are then captured and used to access the victims' emails and attachments, not to mention their contacts list, which are subsequently used for follow-on phishing activity via the compromised accounts.

In a newly unsealed indictment against Peretyatko and Korinets, the U.S. Department of Justice (DoJ) said the defendants used spoofed email accounts to send messages that purported to come from email providers suggesting the recipients had violated terms of service, but, in actuality, were engineered to trick them into providing their email account credentials to false login prompts.

The U.S. Treasury Department's Office of Foreign Assets Control (OFAC) implicated the FSB in long-running hack-and-leak operations with the goal of shaping narratives in targeted countries and advancing Russia's strategic interests.

It also accused Korinets of setting up at least 39 bogus credential harvesting domains for phishing campaigns between 2016 and 2020. Peretyatko is alleged to have used a fraudulent email account in 2017 to send phishing emails that redirected victims to a malicious domain created by Korinets.

"Peretyatko and other FSB officers responsible for the spear phishing campaigns have researched new tools that would support their malicious cyber activities," the Treasury Department said.

"One of the tools included malware that allows for the evasion of two-factor authentication, another permits for the control of a device with limited risk of detection, and a third that allows access to webmail inboxes."

The sanctions notwithstanding, the U.S. Department of State has also announced a $10 million reward for any information leading to the identification of Star Blizzard's members and their activities as part of its Rewards for Justice (RFJ) program.

Responding to the sanctions blockade, the Russian Embassy in the U.K. characterized it as a "futile move" and "yet another act of poorly staged drama," with President Vladimir Putin stating "Western elites use sanctions, provoking conflicts in whole macro-regions in an attempt to maintain their slipping domination."