Kaspersky Says 'CloudSorcerer' APT Hacking Group is Targeting Russian Agencies

CloudSorcerer utilizes GitHub as its initial C2 server.

A new advanced persistent threat (APT) group, dubbed CloudSorcerer, has emerged on the cybersecurity scene. This group has been observed targeting Russian government entities with a sophisticated cyber espionage campaign.

Cloud Services as Command Centers

Kaspersky Says 'CloudSorcerer' APT Hacking Group is Targeting Russian Agencies
Russian government entities are observed to be vulnerable to cyberthreats. Kaspersky says that the "CloudSorcerer" APT group is the latest to hit the departments. Mika Baumeister from Unsplash

Kaspersky Labs, the cybersecurity firm that discovered CloudSorcerer two months ago, identified a unique approach.

The attackers leverage readily available cloud services like Microsoft Graph, Yandex Cloud, and Dropbox for command-and-control (C2) infrastructure. This tactic allows them to mask their activities and potentially evade detection.

Innovation in Data Theft

CloudSorcerer employs a custom-built data-gathering program, showcasing a level of technical expertise. This program utilizes various evasion techniques to conceal its presence on compromised systems.

"The malware leverages cloud resources as its command and control (C2) servers, accessing them through APIs using authentication tokens. Additionally, CloudSorcerer uses GitHub as its initial C2 server," Kaspersky notes.

Stealthy Delivery and Multifaceted Malware

The exact method of infiltration remains unknown. However, upon gaining initial access, CloudSorcerer deploys a C-based executable that can function in multiple ways. It can act as a backdoor, establish communication with the C2 server, or inject malicious code into legitimate processes like mspaint.exe or msiexec.exe.

Kaspersky highlights the malware's ability to "dynamically adapt its behavior," increasing its complexity and making detection more challenging.

Extracting Information and Executing Commands

As The Hacker News reports, the backdoor component gathers information about the infected machine and receives instructions from the C2 server. These instructions allow the malware to enumerate files and folders, run commands, manipulate files, and even download additional malicious payloads.

C2 Communication with a Twist

The C2 communication module employs a unique approach. It initially connects to a seemingly innocuous GitHub page. This page functions as a "dead drop resolver," retrieving an encoded string that points to the actual C2 server hosted on Microsoft Graph, Yandex Cloud, or another cloud platform.

Kaspersky also discovered an alternative method: CloudSorcerer can retrieve the same data from a Russian cloud-based photo hosting service called "my.mail.ru." In this scenario, the name of a photo album supposedly contains the encoded string.

Sophistication Targeting the Russian Government

Kaspersky emphasizes the well-planned nature of CloudSorcerer's campaign. The use of various cloud services for C2 infrastructure, combined with initial communication through GitHub, demonstrates a calculated approach to cyber espionage.

Similar Tactics Target U.S. Organization

Security firm Proofpoint identified a recent cyber campaign mirroring CloudSorcerer's tactics, targeting an unnamed U.S. organization. This campaign, dubbed UNK_ArbitraryAcrobat, employed social engineering tactics to trick recipients into downloading a malicious file.

While CloudSorcerer primarily targets Russia, the discovery of similar tactics used against a U.S. organization raises concerns. Continued investigation is necessary to fully understand the scope of this threat and develop effective mitigation strategies.

Joseph Henry
Tech Times
ⓒ 2024 TECHTIMES.com All rights reserved. Do not reproduce without permission.
Join the Discussion
Real Time Analytics