COLDRIVER, the threat actor, persists in carrying out credential theft operations targeting entities strategically significant to Russia, concurrently enhancing its capabilities to evade detection.
Microsoft Issues Warning on COLDRIVER
The Microsoft Threat Intelligence team is monitoring a threat known as Star Blizzard (formerly SEABORGIUM), also referred to as Blue Callisto, BlueCharlie (or TAG-53), Calisto (alternatively spelled Callisto), and TA446.
The adversary, tied to Russia’s Federal Security Service (FSB), persistently targets individuals and organizations in international affairs, defense, logistics support to Ukraine, academia, information security companies, and entities aligned with Russian state interests, according to Redmond.
Star Blizzard, active since at least 2017, utilizes lookalike domains to impersonate login pages of targeted companies.
In August 2023, Recorded Future revealed 94 new domains that are part of the threat actor’s attack infrastructure, most of which feature keywords related to information technology and cryptocurrency.
Microsoft noted that since April 2023, the adversary has shifted tactics, employing server-side scripts to thwart automated scanning of the actor-controlled infrastructure. This involves a transition from hCaptcha for target determination to redirecting the browsing session to the Evilginx server.
The server-side JavaScript code is created to verify the presence of installed browser plugins, identify access through automation tools such as Selenium or PhantomJS, and relay the results to the server through an HTTP POST request.
“Upon receipt of the POST request, the redirector server evaluates the data gathered from the browser and determines whether to permit ongoing browser redirection,” according to Microsoft.
“When a positive decision is made, the browser receives a response from the redirection server, leading to the next phase of the chain. This could involve presenting an hCaptcha for the user to solve or directing the user straight to the Evilginx server.”
Star Blizzard has recently incorporated email marketing services such as HubSpot and MailerLite to orchestrate campaigns, serving as the initial step in the redirection chain that ultimately leads to the Evilginx server hosting the credential harvesting page.
Furthermore, the threat actor employs a domain name service (DNS) provider to resolve actor-registered domains. They send password-protected PDF lures containing embedded links to bypass email security processes and host files on Proton Drive.
Additionally, the actor upgraded its domain generation algorithm (DGA) to include a more randomized list of words, indicating awareness of public reporting on its tactics and techniques.
Despite the adjustments, Microsoft notes that “Star Blizzard continues to prioritize email credential theft, with a primary focus on cloud-based email providers hosting organizational and personal email accounts.”
The threat group consistently employs pairs of dedicated VPSs for hosting actor-controlled infrastructure, comprising redirector and Evilginx servers, particularly for spear-phishing activities. Each server typically hosts a distinct actor-registered domain.
Indicators of compromise
centralitdef[.]com
rootgatewayshome[.]com
directstoragepro[.]com
infocryptoweb[.]com
cloudwebstorage[.]com
cryptdatahub[.]com
datainfosecure[.]com
servershieldme[.]com
scandefinform[.]com
guardittech[.]com
storageinfohub[.]com
docsinfohub[.]com
Follow Us on: Twitter, Instagram, Facebook to get the latest security news!
Leave A Comment