Full Report
The Russian state-backed Star Blizzard hacker group has ramped up operations with new, constantly evolving malware families (NoRobot, MaybeRobot) deployed in complex delivery chains that start with ClickFix social engineering attacks. [...]
Analysis Summary
# Threat Actor: Star Blizzard (ColdRiver/UNC4057/Callisto)
## Attribution & Identity
Attributed to the Russian intelligence service (FSB). Known aliases include **ColdRiver**, **UNC4057**, and **Callisto**.
## Activity Summary
The actor has recently ramped up operations, abandoning the previously used `LostKeys` malware shortly after its analysis was published. They are now aggressively leveraging new evolving malware families (`NoRobot`, `MaybeRobot`) in complex delivery chains initiated by "ClickFix" social engineering attacks, observed between June and September. These attacks aim to trick targets into executing malware by performing a fake "I am not a robot" CAPTCHA challenge.
## Tactics, Techniques & Procedures
- **Initial Access/Execution:** `ClickFix` social engineering attacks involving fake CAPTCHA pages tricked victims into executing commands via `rundll32` under the guise of a verification process, delivering the `NOROBOT` malicious DLL.
- **Defense Evasion/Persistence:** Gaining persistence through registry modifications and scheduled tasks.
- **Payload Delivery/Execution Chain:** Evolved from initial delivery of `NOROBOT`, they first attempted a short-lived installation path involving a full Python 3.8 installation for the `YESROBOT` Python-based backdoor, before settling on the PowerShell script `MAYBEROBOT` (also known as `SIMPLEFIX`) as the primary backdoor.
- **Stealth/Evasion:** Employing a complex delivery chain that splits cryptographic keys across multiple components, requiring correct assembly to decrypt the final payload, likely to hinder infection chain reconstruction.
- **Command and Control:** `MAYBEROBOT` supports commands to download/execute payloads, execute arbitrary commands via CMD, and execute arbitrary PowerShell blocks, returning results to distinct C2 paths.
## Targeting
- **Sectors:** Western governments, journalists, think tanks, and non-governmental organizations (NGOs).
- **Geography:** Not explicitly detailed, but targets are Western entities.
- **Victims:** Organizations compromised previously via phishing, now being re-targeted for direct device intelligence acquisition.
## Tools & Infrastructure
- **Malware Families:**
- `LostKeys` (Abandoned after public disclosure)
- **NOROBOT** (Malicious DLL loader, tracked as `BAITSWITCH` by Zscaler)
- **YESROBOT** (Short-lived Python-based backdoor)
- **MAYBEROBOT** (Current primary backdoor, PowerShell script, identified as `SIMPLEFIX` by Zscaler)
- **Infrastructure:** Returns command execution results to distinct command-and-control (C2) paths. (No specific defanged URLs/IPs provided in the text summary for specific C2s).
## Implications
Star Blizzard remains an active espionage threat, consistently and rapidly evolving its toolset (renaming/replacing malware within days or weeks of disclosure) to circumvent detection tactics used against their previous tools (like `LostKeys`). Their shift to ClickFix attacks may indicate a strategy refinement, possibly targeting already compromised networks for deeper intelligence extraction.
## Mitigations
- Defend against spear-phishing and social engineering attempts, particularly those masquerading as security verifications (CAPTCHA).
- Monitor for unusual execution of system utilities like `rundll32`.
- Monitor for registry modifications and the creation of scheduled tasks indicative of persistence mechanisms.
- Utilize provided Indicators of Compromise (IoCs) and YARA rules (referenced in the article) to detect Robot malware variants.