When the user tries opening the PDF, the content appears to be encrypted text. If the target reaches out for decryption, he is presented with a link, usually hosted on a cloud storage site, to a “decryption” utility. The utility, along with displaying a decoy “decrypted” document, is the SPICA backdoor in stealth.
While Coldriver has used a malware before, SPICA is the first custom malware attributed to it. “In 2015 and 2016, TAG observed Coldriver using the Scout implant that was leaked during the Hacking Team incident of July 2015.”
SPICA is a multifaceted backdoor
“Once executed, SPICA decodes an embedded PDF, writes it to disk, and opens it as a decoy for the user,” TAG added. “In the background, it establishes persistence and starts the main C2 loop, waiting for commands to execute.”
SPICA supports a number of commands for varied attacks which include, arbitrary shell commands, uploads and downloads, stealing cookies from Chrome, Firefox, Opera, and Edge, and enumerate documents and exfiltrating them in an archive. There is also a “Telegram” command TAG noticed but couldn’t further analyze its specific functionality.
SPICA establishes persistence by creating a scheduled task named CalendarChecker, using an obfuscated PowerShell command. For user awareness, TAG has shared indicators of compromise (IOCs) which included hashes of observed pdf documents, some SPICA instances, and observed C2 domain.