Security researchers have detailed about a new advanced persistent threat group that’s targeting Russian government entities in geopolitical-linked hacking campaign.
The APT dubbed as CloudSorcerer, uses a sophisticated cyber espionage tool for stealth monitoring, data collection and exfiltration via Microsoft Graph, Yandex Cloud and Dropbox cloud infrastructure. The malware leverages cloud resources as its C2 servers, accessing them through application programming interfaces using authentication tokens.
The operations resemble to CloudWizard APT from 2023, campaigned to target Russian-occupied areas of Ukraine and related entities. There are few differences, CloudSorcerer uses separate modules depending on the process it runs, which include communication and data collection models. The malware uses Windows pipes for inter-process communication and adapts its functionality based on the process name.
The malware collects system information and sends it to a C2 module. It can execute different comments, such as collecting system information, manipulating files, executing shell commands, and creating processes using COM interfaces.
CloudSorcerer uses GitHub and Mail.ru for initial communications and uses encoded strings to interact with cloud services. It then uses Yandex Cloud, Microsoft Graph and Dropbox for data exfiltration and command execution.
Despite the similarities to CloudWizard, the researchers note, there are distinct differences in code and functionality, suggesting that CloudSorcerer is likely a new actor using similar techniques but developing unique tools.
The report does not speculate who might be behind CloudSorcerer, but if it’s not the Ukrainians, it’s likely a Western country and the most likely would be the U.S. The initial C2 communication starting with GitHub is not unusual, it is a lesson in the importance of limiting outbound traffic from networks, as opposed to just inbound traffic. Organization should block these types of domains if they are not commonly used.
Indicators of Compromise
- F701fc79578a12513c369d4e36c57224
- hxxps://github[.]com/alinaegorovaMygit
- hxxps://my.mail[.]ru/yandex.ru/alinaegorova2154/photo/1
MITRE Mapping
