A Newly Discovered APT Crew “CloudSorcerer” Sets Sights on Russian Government Entities
An unknown sophisticated persistent threat (APT) crew named CloudSorcerer has been spotted directing its efforts towards Russian government entities by utilizing cloud services for command-and-control (C2) operations and data theft.
Kaspersky, a cybersecurity company that detected this behavior in May 2024, stated that the techniques employed by the threat actor resemble those of CloudWizard, though with discrepancies in the malware source code. The assaults showcase a novel data collection mechanism and various avoidance strategies to hide its activities.
“It’s a complex cyber espionage tool used for discreet surveillance, data gathering, and data extraction through Microsoft Graph, Yandex Cloud, and Dropbox cloud structures,” the Russian security provider mentioned.
“The malware uses cloud resources as its command and control (C2) servers, gaining access through APIs and authentication tokens. Moreover, CloudSorcerer employs GitHub as its initial C2 server.”
The exact method of infiltrating targets remains undisclosed at present; however, the initial breach enables the deployment of a C-based portable executable binary serving as a backdoor, initiation of C2 communications, or injection of shellcode into other legitimate processes such as mspaint.exe, msiexec.exe, or processes containing the term “browser.”
“The malware’s capability to adjust its actions dynamically based on the process it runs in, coupled with its intricate inter-process communication via Windows pipes, underscores its sophistication,” as revealed by Kaspersky.
The backdoor element is structured to gather details about the compromised system, receive commands to list files and directories, execute shell instructions, conduct file operations, and execute additional payloads.
As for the C2 module, it establishes connection with a GitHub page functioning as a dead drop resolver to retrieve an encoded hexadecimal string directing to the actual server hosted on Microsoft Graph or Yandex Cloud.
“In an alternative approach, instead of linking to GitHub, CloudSorcerer also attempts to fetch the same data from hxxps://my.mail[.]ru/, which is a cloud-based photo hosting platform from Russia,” Kaspersky highlighted. “The hex string is present in the photo album title.”
“The CloudSorcerer malware showcases a sophisticated toolkit aimed at Russian government entities. The utilization of cloud platforms like Microsoft Graph, Yandex Cloud, and Dropbox for C2 infrastructure, together with GitHub for initial C2 communications, illustrates a well-rounded strategy for cyber espionage.”
Update
Cybersecurity enterprise Proofpoint disclosed the detection of a cyber offensive targeting an undisclosed U.S.-based entity mirroring the modus operandi of CloudSorcerer. The operation, noticed in late May 2024, used a free email account mimicking a renowned U.S. think tank and utilized a forged event invitation to entice victims into downloading a ZIP file stored on acrobat-inst[.]com.
“Upon downloading and opening the ZIP file, the user encounters a directory with three LNK files, each capable of initiating a sequence of malicious activities,” the organization stated.
“The LNK files will launch either the embedded PDF or Word Document from the folder, update various components’ names in the directory, and then start an embedded executable file named cache.tmp.”
The running process subsequently connects to GitHub or TechNet profiles to fetch a hexadecimal blob with a “CDOY” start and end pattern, aligning with Kaspersky’s observations.
Greg Lesnewich, a Proofpoint threat researcher, informed The Hacker News that the most recent discoveries suggest the threat actor is utilizing spear-phishing strategies to penetrate networks, although other delivery methods cannot be ruled out. There is presently no indication that the attacker is “targeting entities beyond Windows operating systems.”
(The story was updated after publication to include additional comments from Proofpoint.)
About Author
