A new advanced persistent threat (APT) group, dubbed CloudSorcerer, has emerged on the cybersecurity scene. This group has been observed targeting Russian government entities with a sophisticated cyber espionage campaign.
Cloud Services as Command Centers
Kaspersky Labs, the cybersecurity firm that discovered CloudSorcerer two months ago, identified a unique approach.
The attackers leverage readily available cloud services like Microsoft Graph, Yandex Cloud, and Dropbox for command-and-control (C2) infrastructure. This tactic allows them to mask their activities and potentially evade detection.
Related Article : Australia Says China-Backed Hackers Are Breaching Government Networks
Innovation in Data Theft
CloudSorcerer employs a custom-built data-gathering program, showcasing a level of technical expertise. This program utilizes various evasion techniques to conceal its presence on compromised systems.
"The malware leverages cloud resources as its command and control (C2) servers, accessing them through APIs using authentication tokens. Additionally, CloudSorcerer uses GitHub as its initial C2 server," Kaspersky notes.
Stealthy Delivery and Multifaceted Malware
The exact method of infiltration remains unknown. However, upon gaining initial access, CloudSorcerer deploys a C-based executable that can function in multiple ways. It can act as a backdoor, establish communication with the C2 server, or inject malicious code into legitimate processes like mspaint.exe or msiexec.exe.
Kaspersky highlights the malware's ability to "dynamically adapt its behavior," increasing its complexity and making detection more challenging.
Extracting Information and Executing Commands
As The Hacker News reports, the backdoor component gathers information about the infected machine and receives instructions from the C2 server. These instructions allow the malware to enumerate files and folders, run commands, manipulate files, and even download additional malicious payloads.
C2 Communication with a Twist
The C2 communication module employs a unique approach. It initially connects to a seemingly innocuous GitHub page. This page functions as a "dead drop resolver," retrieving an encoded string that points to the actual C2 server hosted on Microsoft Graph, Yandex Cloud, or another cloud platform.
Kaspersky also discovered an alternative method: CloudSorcerer can retrieve the same data from a Russian cloud-based photo hosting service called "my.mail.ru." In this scenario, the name of a photo album supposedly contains the encoded string.
Sophistication Targeting the Russian Government
Kaspersky emphasizes the well-planned nature of CloudSorcerer's campaign. The use of various cloud services for C2 infrastructure, combined with initial communication through GitHub, demonstrates a calculated approach to cyber espionage.
Similar Tactics Target U.S. Organization
Security firm Proofpoint identified a recent cyber campaign mirroring CloudSorcerer's tactics, targeting an unnamed U.S. organization. This campaign, dubbed UNK_ArbitraryAcrobat, employed social engineering tactics to trick recipients into downloading a malicious file.
While CloudSorcerer primarily targets Russia, the discovery of similar tactics used against a U.S. organization raises concerns. Continued investigation is necessary to fully understand the scope of this threat and develop effective mitigation strategies.