Russian COLDRIVER Threat Group Using New LOSTKEYS Malware

Google threat researchers have uncovered a new strain of malware that’s linked to the well-known COLDRIVER threat group, a Russian actor known for attacking NGOs, government agencies, and other high-profile targets. 

The new malware is called LOSTKEYS and is designed to steal files from a number of different directories and can also send information about currently running processes back to the remote attacker. The malware has several stages, the first of which is delivered by tricking the victim into copying and pasting a PowerShell command that, when executed, retrieves and runs the second stage. After running a check to see whether it’s running in a virtual machine, the second stage then gets the third stage of the malware, which is also PowerShell.

“This stage retrieves and decodes the final payload. To do this it pulls down two more files, from the same host as the others, and again using different unique identifiers per infection chain.

The first is a Visual Basic Script (VBS) file, which we call the “decoder” that is responsible for decoding the second one,” Google’s researchers said in a post on the LOSTKEYS malware. 

“The decoding process uses two keys, which are unique per infection chain. The decoder has one of the unique keys and the second key is stored in stage 3. The keys are used in a substitution cipher on the encoded blob, and are unique to each infection chain.”

The final payload of the LOSTKEYS malware is a VBS that does the actual data theft. Google’s researchers discovered some malware samples from December 2023 that used a separate infection chain to deliver LOSTKEYS, but said it’s unclear whether those samples are connected to COLDRIVER or are part of a different operation. The recent attacks that Google observed were targeting victims in NGOs and other organizations in western countries. 

“The typical behavior of COLDRIVER is to steal credentials and then use them to steal emails and contacts from the target, but as we have previously documented they will also deploy malware called SPICA to select targets if they want to access documents on the target system. LOSTKEYS is designed to achieve a similar goal and is only deployed in highly selective cases,” the researchers said. 

COLDRIVER is a Russian government-backed threat actor that’s also known as Callisto and Star Blizzard and has been quite active for many years.