Previously undocumented Advanced Persistent Threat Group (APT), duplicated CloudSorcerer they were seen targeting Russian government entities using cloud services for command and control (C2) and data theft.
Cyber security firm Kaspersky, which discovered this activity in May 2024, the trading technique adopted by the threat actor bears similarities to CloudWizard, but pointed to differences in the malware’s source code. Attackers have an innovative data collection program and a variety of evasion tactics to cover their tracks.
“It is a sophisticated cyber-espionage tool used for covert monitoring, data collection and extortion through Microsoft Graph, Yandex Cloud and Dropbox cloud infrastructure,” the Russian security vendor said. said.
“The malware uses cloud resources as its command and control (C2) servers, accessing them through APIs using authentication tokens. In addition, CloudSorcerer uses GitHub as the initial C2 server.”
The exact method used to infiltrate the target is currently unknown, but the initial access is used to remove a portable C-based executable used as a backdoor, initiate C2 communication, or inject shellcode into other legitimate process-based processes, in which it executes, namely mspaint.exe, msiexec.exe, or contains the string “browser”.
“The ability of the malware to dynamically adapt its behavior depending on the process in which it is running, combined with the use of complex inter-process communication through Windows channels, further emphasizes its complexity,” noted Kaspersky.
The backdoor component is designed to collect information about the victim machine and obtain instructions to enumerate files and folders, execute shell commands, perform file operations, and run additional payloads.
Module C2, for its part, connects to a GitHub page that acts as a dead drop solver to get an encoded hexadecimal string that points to a real server hosted on Microsoft Graph or Yandex Cloud.
“Alternatively, instead of connecting to GitHub, CloudSorcerer also tries to get the same data from hxxps://my.mail(.)ru/, which is a Russian cloud photo hosting server,” Kaspersky said. “The name of the photo album contains the same hexadecimal string.”
“The CloudSorcerer malware is a sophisticated set of tools aimed at Russian government entities. The use of cloud services such as Microsoft Graph, Yandex Cloud, and Dropbox for C2 infrastructure, along with GitHub for initial C2 communication, demonstrates a well-planned approach to cyberespionage. “
