image of breaking badness
Breaking Badness
Breaking Badness

177. Just Around the COLDRIVER Bend

Coming up this week on Breaking Badness: Cry Me A COLDRIVER, Life of MediaPI, and Gold, Guidance, and Grievances.

Here are a few highlights from each article we discussed:


  • Russian threat group COLDRIVER expands its targeting of Western officials to include the use of Malware
  • What do we know about COLDRIVER?
    • This is an APT group that has gone by several names (as so many activity groups do) so you may know them as UNC4057, Star Blizzard, or Callisto; at any rate, although this TAG report doesn’t explicitly say this, we’d say with some confidence that they’re mainly up to espionage
    • What TAG and others have observed them doing is mainly credential harvesting against targets that are pretty predictable for a Russian APT group—NATO governments and military, the same for Ukraine, and high profile Western-affiliated NGOs and the like. They have gone after officials and former officials from these target organizations with fairly standard phishing campaigns, trying to create trust and rapport with the victim to eventually get creds
  • Why is COLDRIVER making the switch from phishing to delivering malware?
    • Don’t forget that phishing often—very often—incorporates malware. In fact, it’s a bit surprising that they weren’t deploying it earlier, but maybe that’s a way that they were able to keep their profile relatively low
    • As soon as you have malware, you’ve got more potential IoC’s and indeed this TAG report has a bunch of those. But it’s possible that their intended targets were becoming harder to phish—pure conjecture on my part but that could be one explanation for this apparent change in tactics. But—actually it is NOT likely that this is the first time they have ever used malware. More on that later—SPOILER ALERT!
  • COLDRIVER had been sending benign PDFs to their targets that included some random characters and would respond with a link if the target said they couldn’t read the PDF. That was a decryption utility known as SPICA
    • We’ll say a little bit about the benign PDF because this is a bit of an interesting wrinkle from a lot of malware distribution that we see. And to me it represents a bit of a risk that COLDRIVER is taking, because there’s a chance that the target could get suspicious of this initial PDF, and back out of any further engagement with the phisher
    • The PDF is gibberish – and so the phisher is hoping that the target will come back to them and say “hey, this seems to be encrypted,” at which point the phisher very helpfully provides a portal to a special decryptor for the PDF
    • Alas, this is where stuff starts to go (if the target is a Brit) all pear-shaped. Because as you surely surmise by now, what that portal actually delivers is not the decryptor for the PDF but this SPICA malware, which is a multipurpose spyware tool that does the following things (and I’m just quoting directly from TAG here):
      • Executing arbitrary shell commands
      • Stealing cookies from Chrome, Firefox, Opera and Edge
      • Uploading and downloading files
      • Perusing the filesystem by listing the contents of it
      • Enumerating documents and exfiltrating them in an archive
      • There is also a command called “telegram,” but the functionality of this command is unclear
    • It’s written in Rust and uses JSON over websockets for its command and control. And incidentally—the victim does in fact receive a decrypted PDF, but that’s not because there’s a real decryptor here, it’s just a false second document that makes the victim think that nothing bad is going on
  • TAG reported that SPICA might have been in use since 2022, so does that mean COLDRIVER has been playing more of a long game in delivering malware?
    • It seems that way, but TAG offers no details to support why they think it was being used back then. But going back to what we were hinting at earlier—TAG does mention that back in 2015-2016, they saw this group using another spyware tool called Scout, which was one of the tools leaked in the Hacking Team incident in the summer of 2015. Scout was designed to help the threat actor determine whether a machine it was dropped on represented an interesting target or not
  • Are there any mitigations at this time?
    • Odds are that most of our listeners aren’t going to be targeted by this group, but who knows—if Tom Hanks tunes in, who are we to say that we might not also have high-level officials with NATO states or Ukraine also listening to the show
    • But yes, we see at least two pretty straightforward mitigations: 1) If you receive a PDF full of gibberish, delete it and end all communications with the sender of it, and probably not a bad idea at that point to have your security team give your machine a thorough check
    • 2) The one C2 IOC they provided in this report were connections to a specific IP address on Port 3000. This was another thing that looked really odd to me about this—a very large number of organizations these days, especially the most mature among them—practice egress filtering, which means that Port 3000 wouldn’t be allowed outbound anyway, or at minimum it would raise an event of some sort. And—they don’t appear to be using domains! So once that IP is burned, their job just got a little harder
    • Maybe this is the JV APT group in Russia, like the Moscow State University senior thesis project for students seeking careers in, ahem, “information management?” We jest, of course, but we have to wonder if what we’re seeing here is really their whole bag of tricks. We’re pretty sure it’s not

Life of MediaPI

  • New TTPs observed in Mint Sandstorm campaign targeting high-profile individuals at universities and research orgs
  • Mint Sandstorm is not the Pantone color of the year, it is a threat group. What do we know about them?
    • Mint Sandstorm is the latest name for this group that’s received many names over the years
      • Microsoft used to call them phosphorus
      • They’ve been known as Charming Kitten, APT35, Newsbeef
    • They’ve been around for a while and this their latest stint in the limelight under the microscope from the Microsoft research team
  • They make bespoke phishing lures
    • They have always gone after individual targets – in this case, they’re targeting journalists and folks in universities
    • And they are building relationships with folks before they ever try to get them to click on anything, download anything, do whatever – they spent some time getting to know their victims and they’re impersonating well-known journalists
    • They’ve spoofed emails that are off by just one character
      • Probably some homoglyphs in the emails or something similar and convincing folks that, “hey, I’m here to pass you information or vice versa.”
  • Speaking of social engineering, do they use artificial intelligence or large language models to make the ruse more convincing?
    • Not that we know of – this is extremely custom and targeted, but it’s less scaled 
    • But it’s tricky because they could be using that in the middle of a conversation to stay relevant and on topic and stay convincing to their victim and we wouldn’t really know it
    • But it doesn’t look like they’re using AI at scale, at least 
  • Microsoft shares that Mint Sandstorm used custom backdoors called MediaPI and MichiefTut – what were their capabilities?
    • MediaPI is a custom backdoor for Windows Media Player and then it speaks to a C2 server
    • They use text files to exfiltrate data from the victims
    • Mischief Tut back door is a PowerShell backdoor that does reconnaissance and data exfil as well
      • It runs commands, right outputs, all that fun stuff
      • Then they export those text files off of the victims and are able to pull that data into the attacker environment.
  • What are the recommendations from Microsoft regarding mitigations for activity associated with Mint Sandstorm?
    • It’s a similar ending to the first article saying “hey, you should pay attention to what’s in your email,” which is kind of advice that we don’t like a lot because it shifts the blame to the user a lot
    • In this case, it’s tricky because you think it’s someone you like talking to over email or a journalist you respect is reaching out to you

This Week’s Hoodie/Goodie Scale


[Taylor]: 1.5/10 Hoodies
[Tim]: 2/10 Hoodies

Life of MediaPI

[Taylor]: 4/10 Hoodies
[Tim]: 3/10 Hoodies

That’s about all we have for this week, you can find us on Twitter @domaintools, all of the articles mentioned in our podcast will always be included on our podcast recap. Catch us Wednesdays at 9 AM Pacific time when we publish our next podcast and blog.

*A special thanks to John Roderick for our incredible podcast music!