Zimperium Coverage on COLDRIVER Phishing Campaign

The recently uncovered “River of Phish” campaign, attributed to the Russian threat actor COLDRIVER, targets Western and Russian civil society through sophisticated spear-phishing attacks. This campaign employs highly personalized social engineering tactics, to trick targets into opening malicious PDF attachments. These PDFs contain links to phishing sites designed to steal login credentials and bypass two-factor authentication, potentially granting attackers access to sensitive information and communications of high-risk individuals and organizations.

Zimperium’s advanced mobile security solution offers robust protection against this kind of campaign. By leveraging artificial intelligence and behavioral analysis, our tool can detect and block highly personalized, zero day mobile phishing attempts. Zimperium MTD scrutinizes potentially malicious PDFs and web links for telltale signs of mobile phishing and links to potentially malicious domains.

For this campaign, our solution detected and blocked the reported malicious PDFs zero day, on device without modification ensuring privacy leveraging our on-device artificial intelligence engine for PDF and mobile phishing.

The following table shows the chronology of the reported domains, summarizing the date for domain registration, the first report of the domain in public phishing feeds and the time difference in days (time window in which the site was potentially active as a zero day threat). 

DomainDomain Registration DatePublic Feeds Reported DateTime Difference in Days
ithostprotocol[.]com1/16/20241/18/20241
xsltweemat[.]org3/14/20244/5/202421
eilatocare[.]com4/9/20247/1/202483
egenre[.]net5/19/20246/27/202438
esestacey[.]net5/19/20248/14/202486
ideaspire[.]net5/19/20249/27/2024130
togochecklist[.]com8/28/20238/30/20231
vocabpaper[.]com3/15/20247/10/2024116
matalangit[.]org5/7/20248/16/2024100
protondrive[.]me5/7/20248/15/2024100
protondrive[.]services10/19/20239/12/2024328
protondrive[.]online2/1/20239/21/2024597
service-proton[.]me9/14/20228/31/2024716

The data shows that some of the domains existed for more than 1 year before being reported. This enforces once more the importance of zero day detection tools, and not just based on lists for complete protection.

Crucially, our PDF solution offers specific safeguards against the tactics employed in this campaign. By utilizing artificial intelligence for both the analysis of PDF components and the analysis of links embedded within these files, we achieve enhanced detection in this format.

By deploying our mobile security solution, organizations can significantly mitigate the risks posed by threat actors like COLDRIVER. The system’s AI capabilities provide robust protection against zero day threats, like newly created malicious sites, or previously unseen risky PDF sites.

Having a mobile security tool with capabilities for detecting zero day threats ensures the user stays ahead of evolving mobile phishing techniques, providing a critical layer of defense for high-risk individuals and organizations targeted by sophisticated cyber espionage campaigns.

The post Zimperium Coverage on COLDRIVER Phishing Campaign  appeared first on Zimperium.

Article Link: Zimperium Coverage on COLDRIVER Phishing Campaign  - Zimperium