CloudSorcerer Leverages Cloud Services in Cyber-Espionage Campaign

  /     /     /  
Publicated : 23/11/2024   Category : security


CloudSorcerer Leverages Cloud Services in Cyber-Espionage Campaign


The newly discovered APTs main weapon is a malware tool that can change behavior depending on the process in which it is running.



A new cyber-espionage actor is targeting government organizations in the Russian Federation with a sophisticated piece of malware that can adapt its behavior based on its execution environment.
The advanced persistent threat (APT) group, which researchers at Kaspersky are tracking as CloudSorcerer, has an operational style that is akin to that used by CloudWizard another APT that the security vendor spotted last year also targeting Russian entities.
Like CloudWizard, the new threat group too heavily leverages public cloud services for command and control (C2) and other purposes. It also appears to be going after the same targets. But CloudSorcerers eponymously named malware is entirely different from that of CloudWizard, making it more than likely that the former is a new cyber-espionage actor thats merely using the same tactics as the latter, Kaspersky
said in a report this week
.
While there are similarities in
modus operandi
to the
previously reported CloudWizard
APT, the significant differences in code and functionality suggest that CloudSorcerer is likely a new actor, possibly inspired by previous techniques but developing its own unique tools, Kaspersky said.
CloudSorcerers primary malware tool can perform multiple functions that include covert monitoring and data collection on compromised systems, and data exfiltration using legitimate cloud services such as Microsoft Graph API, Dropbox and Yandex cloud. CloudSorcerer also uses cloud services to host its command-and-control servers, which the malware then accesses through application programming interfaces APIs).
The threat actors have been distributing CloudSorcerer as a single executable file that however can operate as two separate modules—a data collection module and a communication module—depending on the execution content. The goal in distributing the malware in this fashion is to make it both easier to deploy and to hide.
The malware is executed manually by the attacker on an already infected machine, according to Kaspersky. It is initially a single Portable Executable (PE) binary written in C. 
Its functionality varies depending on the process in which it is executed. Upon execution, the malware calls the GetModuleFileNameA function to check which process it is running on. If the process happens to be mspaint.exe the malware functions as a back door and collects a variety of malicious functions including code execution and data collection.
The data that CloudSorcerer collects includes computer name, username, Windows version information and system uptime. The malware then sends the data to the C2 server. Depending on the response from the C2 server, the backdoor then executes one of multiple commands including those that instruct it to collect information from hard drives on the system; collect data from files and folders; execute shell commands; and to create and write data to any file on the compromised system.
The malwares backdoor functionality also includes the ability to create processes for running malicious binaries, creating processes as a dedicated user, getting and stopping tasks, creating and changing services, deleting values from Windows registries, and modifying registry keys. When CloudSorcerer first executes, it communicates with an initial C2 server on GitHub, which is basically a webpage that contains instructions on the next sequence of steps the malware needs to take, Kaspersky said.
The practice by attackers of leveraging public cloud services to host C2 infrastructure, and
distribute malware
and other components of an attack chain is not new. Services like
Microsoft Graph API
and
GitHub
in particular have become popular among threat actors looking to sneak malware and malicious activity past enterprise defense mechanisms. Even so, the growing sophistication of attacks leveraging such services present a challenge for organizations.
The CloudSorcerer malware represents a sophisticated toolset targeting Russian government entities, Kaspersky noted. Its use of cloud services such as Microsoft Graph, Yandex Cloud, and Dropbox for C2 infrastructure, along with GitHub for initial C2 communications, demonstrates a well-planned approach to cyber espionage. Adding to the challenge is CloudSorcerers ability to dynamically adapt its behavior based on process context, Kaspersky noted.
Erich Kron, security awareness advocate at KnowBe4, said the new campaign shows why organizations cannot stop with monitoring only whats coming into the network.
While the initial C2 communication starting with GitHub is not unusual, it is a lesson in the importance of limiting outbound traffic from networks, as well, he said in an emailed comment. If most of the people within an organization have no need to access a commonly used website for command-and-control traffic such as this, it makes sense to block this traffic.

Last News

▸ Criminal Possession of Government-Grade Stealth Malware ◂
Discovered: 23/12/2024
Category: security

▸ Senate wants changes to cybercrime law. ◂
Discovered: 23/12/2024
Category: security

▸ Car Sector Speeds Up In Security. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
CloudSorcerer Leverages Cloud Services in Cyber-Espionage Campaign