Russian Hackers Hide Malware in CAPTCHA Tests
▼ Summary
– The Russian state-backed Star Blizzard hacker group (also known as ColdRiver) has deployed new malware families called NoRobot, YesRobot, and MaybeRobot in complex delivery chains starting with ClickFix social engineering attacks.
– ColdRiver completely abandoned its LostKeys malware less than a week after researchers published their analysis and began using the new Robot malware tools more aggressively than in previous campaigns.
– The group’s current attack chain involves NOROBOT malware delivered via fake CAPTCHA pages, which gains persistence and retrieves subsequent payloads like MAYBEROBOT, a PowerShell backdoor with command execution capabilities.
– Researchers observed ColdRiver shifting from complex to simpler and then back to complex delivery chains, splitting cryptographic keys across components to hinder reconstruction of the infection chain.
– Despite infrastructure disruptions, sanctions, and exposure of its tactics, ColdRiver remains an active threat attributed to the Russian FSB intelligence service, targeting governments, journalists, and NGOs for espionage since at least 2017.
A sophisticated Russian state-sponsored hacking collective known as Star Blizzard has escalated its cyber-espionage activities by concealing malware within deceptive CAPTCHA verification pages. This group, also identified as ColdRiver, UNC4057, and Callisto, has introduced a series of new malicious tools, NoRobot, YesRobot, and MaybeRobot, through intricate attack chains that begin with social engineering tactics called ClickFix. These methods trick targets into executing harmful code while believing they are simply completing a standard “I am not a robot” test.
Shortly after cybersecurity researchers published an analysis of the group’s earlier LostKeys malware, ColdRiver abandoned it entirely. Within just five days, they shifted to deploying the new Robot malware families, using them more aggressively than in any prior campaign. According to the Google Threat Intelligence Group, LostKeys had been employed in espionage attacks targeting Western governments, journalists, think tanks, and NGOs, with capabilities focused on data theft from specific file types and directories.
The retooling effort began with NoRobot, a malicious DLL file distributed via fake CAPTCHA pages. Victims are prompted to complete a verification process, inadvertently launching the malware through the Windows rundll32 utility. Security analysts at Zscaler, who examined NoRobot in September, named it BAITSWITCH and identified its payload as a backdoor they called SIMPLEFIX. Google noted that NoRobot underwent continuous development from May through September, establishing persistence on infected systems through registry modifications and scheduled tasks.
Initially, NoRobot retrieved a full Python 3.8 installation for Windows to support the YesRobot backdoor. However, this approach was short-lived, likely because the conspicuous Python installation drew unwanted attention. ColdRiver quickly replaced it with MaybeRobot, a PowerShell-based backdoor that Zscaler also identifies as SIMPLEFIX.
By early June, a significantly streamlined version of NoRobot began delivering MaybeRobot, which supports three primary commands: downloading and executing payloads from a specified URL, running commands via the command prompt, and executing arbitrary PowerShell code. After carrying out these actions, MaybeRobot sends the results to separate command-and-control servers, providing the attackers with feedback on the success of their operations.
Google analysts observed that development on MaybeRobot has stabilized, with the group now concentrating on refining NoRobot to enhance its stealth and effectiveness. Researchers also detected a shift in the delivery chain, from complex to simple, then back to a more complex model that splits cryptographic keys across multiple components. Decrypting the final payload requires correctly combining these pieces, a tactic likely designed to complicate efforts to reconstruct the infection chain. If any component is missing, decryption fails, obscuring the full attack sequence.
Between June and September, ColdRiver was observed using this method to deliver NoRobot and subsequent payloads to selected targets. The group, linked to the Russian Federal Security Service (FSB), has been active in cyber-espionage since at least 2017. Despite infrastructure takedowns, sanctions, and public exposure of their methods, ColdRiver remains a persistent and evolving threat.
While the group has historically relied on phishing attacks to deploy malware, their recent pivot to ClickFix attacks remains unexplained. One theory suggests that ColdRiver may be re-targeting individuals previously compromised through phishing, those whose emails and contacts were already stolen, to extract further intelligence directly from their devices.
To aid defenders, Google’s report includes indicators of compromise and YARA rules designed to help detect infections involving the Robot malware families.
(Source: Bleeping Computer)
