ATT&CK v16 has been released! Check out the blog post for more information.

Spica

Spica is a custom backdoor written in Rust that has been used by Star Blizzard since at least 2023.^[1]

ID: S1140

ⓘ

Type: MALWARE

ⓘ

Platforms: Windows

Version: 1.0

Created: 18 June 2024

Last Modified: 18 June 2024

Version Permalink

Live Version

Techniques Used

Domain	ID		Name	Use
Enterprise	T1560		Archive Collected Data	Spica can archive collected documents for exfiltration.^[1]
Enterprise	T1059	.001	Command and Scripting Interpreter: PowerShell	Spica can use an obfuscated PowerShell command to create a scheduled task for persistence.^[1]
Enterprise	T1140		Deobfuscate/Decode Files or Information	Upon execution Spica can decode an embedded .pdf and write it to the desktop as a decoy document.^[1]
Enterprise	T1083		File and Directory Discovery	Spica can list filesystem contents on targeted systems.^[1]
Enterprise	T1105		Ingress Tool Transfer	Spica can upload and download files to and from compromised hosts.^[1]
Enterprise	T1036	.004	Masquerading: Masquerade Task or Service	Spica has created a scheduled task named `CalendarChecker` for persistence on compromised hosts.^[1]
Enterprise	T1095		Non-Application Layer Protocol	Spica can use JSON over WebSockets for C2 communications.^[1]
Enterprise	T1053	.005	Scheduled Task/Job: Scheduled Task	Spica has created a scheduled task named `CalendarChecker` to establish persistence.^[1]
Enterprise	T1539		Steal Web Session Cookie	Spica has the ability to steal cookies from Chrome, Firefox, Opera, and Edge browsers.^[1]

Groups That Use This Software

ID	Name	References
G1033	Star Blizzard	^[1]

References

Shields, W. (2024, January 18). Russian threat group COLDRIVER expands its targeting of Western officials to include the use of malware. Retrieved June 13, 2024.