COLDRIVER, a Russian government-backed group, has deployed a new malware called LOSTKEYS to target NGOs and Western organizations
COLDRIVER focuses on credential phishing, stealing login credentials, exfiltrating emails, and accessing system files
Recent attacks have targeted journalists, think tanks, NGOs, and advisors to Western governments and militaries, with a focus on individuals linked to Ukraine
COLDRIVER’s activities aim to gather intelligence supporting Russia’s strategic objectives, including hack-and-leak campaigns
The malware steals files from specific directories, gathers system data, and sends active processes to attackers
LOSTKEYS is delivered through a multi-step infection chain starting with a fake CAPTCHA page that socially engineers users to execute PowerShell scripts
The malware includes a stage that halts execution in virtual machines by computing the MD5 hash of the display resolution
LOSTKEYS uses a Visual Basic Script (VBS) decoder and two unique keys to decode its payload, ensuring each infection chain is distinct
Earlier versions of LOSTKEYS from December 2023 were Portable Executable (PE) files disguised as software like Maltego
IOCs include domains like njala[.]dev and IP addresses like 80.66.88[.]67, along with hashes of malicious binaries