Article Details
Scrape Timestamp (UTC): 2024-07-08 15:15:28.410
Original Article Text
Click to Toggle View
CloudSorcerer hackers abuse cloud services to steal Russian govt data. A new advanced persistent threat (APT) group named CloudSorcerer abuses public cloud services to steal data from Russian government organizations in cyberespionage attacks. Kaspersky security researchers discovered the cyberespionage group in May 2024. They report that CloudSorcerer uses custom malware that uses legitimate cloud services for command and control (C2) operations and data storage. Kaspersky notes that CloudSorcerer's modus operandi is similar to CloudWizard APT's, but their malware is distinct, leading security researchers to believe this is a new threat actor. CloudSorcerer malware details While Kaspersky does not explain how the threat actors initially breach a network, they say they execute the custom Windows backdoor manually. The malware has a process-specific behavior depending on where it has been injected, which it determines using 'GetModuleFileNameA.' If executed from within "mspaint.exe," it acts as a backdoor, collecting data and executing code. However, if it is launched within "msiexec.exe," it first initiates C2 communication to receive commands to execute. The initial communication is a request to a GitHub repository (up at the time of writing) that contains a hexadecimal string that determines which cloud service to use for further C2 operations: Microsoft Graph, Yandex Cloud, or Dropbox. For processes that don't match any hardcoded behavior, the malware injects shellcode into the MSIexec, MSPaint, or Explorer process and terminates the initial process. The shellcode parses the Process Environment Block (PEB) to identify Windows core DLL offsets, identifies required Windows APIs using the ROR14 algorithm, and maps the CloudSorcerer code into the memory of targeted processes. Data exchange between modules is organized through Windows pipes for seamless inter-process communication. The backdoor module, which performs the data theft, collects system information such as computer name, user name, Windows subversion, and system uptime. It also supports a range of commands retrieved from the C2, including: Overall, the CloudSorcerer backdoor is a potent tool that enables the threat actors to perform malicious actions on the infected machines. Kaspersky characterizes the CloudSorcerer attacks as highly sophisticated due to the malware's dynamic adaptation and covert data communication mechanisms. Indicators of compromise (IoC) and Yara rules for detecting the CloudSorcerer malware are available at the bottom of Kaspersky's report.
Daily Brief Summary
The group named CloudSorcerer executes cyberespionage against Russian government entities by exploiting public cloud services.
Discovered by Kaspersky in May 2024, this advanced persistent threat (APT) employs custom malware leveraging legitimate cloud platforms for control and data storage.
The unique malware uses different tactics depending on the host application, such as "mspaint.exe" or "msiexec.exe," to manage command and control (C2) communications or execute malicious activities.
Initial contact by the malware is through a GitHub repository, which facilitates further C2 operations through various cloud services like Microsoft Graph, Yandex Cloud, or Dropbox.
The malware ensures stealth and efficacy by using Windows pipes for inter-process communications, adapting to the specific environment of the infected machine.
CloudSorcerer can conduct extensive reconnaissance on the infected system, gathering data like computer name, username, and system details.
Kaspersky emphasizes the sophistication of the attacks due to the malware's ability to dynamically adapt and obfuscate data transmission.
Detection signatures and methods (IoCs and Yara rules) have been made available by Kaspersky for identifying and mitigating CloudSorcerer threats.