A recent cyber-espionage campaign targeting government organizations in the Russian Federation has caught the attention of security researchers at Kaspersky. This new threat actor, known as “CloudSorcerer,” has been using a sophisticated malware strain that can adjust its behavior based on the environment in which it operates.
Similar to another APT group called “CloudWizard,” CloudSorcerer relies heavily on public cloud services for various activities, including command and control operations. Despite these similarities, the malware used by CloudSorcerer is distinct from that of CloudWizard, leading experts to believe that CloudSorcerer is a new player in the cyber-espionage arena, possibly drawing inspiration from its predecessor but developing its own set of tools.
CloudSorcerer’s malware is designed to perform a range of functions, such as covert monitoring, data collection, and exfiltration using legitimate cloud services like Microsoft Graph API, Dropbox, and Yandex cloud. Additionally, the group leverages cloud services to host its command-and-control servers, which the malware accesses through APIs.
The threat actors behind CloudSorcerer have been distributing the malware as a single executable file that can function as two separate modules—a data collection module and a communication module—depending on the execution context. This approach makes it easier to deploy the malware and harder to detect.
When the malware is executed, it checks the process it is running on and adjusts its functionality accordingly. For instance, if the process is mspaint.exe, the malware operates as a backdoor, enabling malicious activities like code execution and data collection. The data collected includes information like computer name, username, Windows version, and system uptime, which is then sent to the command-and-control server.
CloudSorcerer’s backdoor capabilities allow it to perform various tasks, such as creating processes for running malicious binaries, manipulating registry keys, and executing shell commands. The malware communicates with an initial C2 server on GitHub upon execution, receiving instructions for the next steps in its operation.
One of the notable aspects of the CloudSorcerer campaign is the use of public cloud services for hosting its infrastructure, a tactic employed by many threat actors to evade detection by traditional security measures. Services like Microsoft Graph API and GitHub have become popular among cybercriminals for distributing malware and orchestrating attacks, posing a challenge for organizations trying to defend against such threats.
Kaspersky emphasized that CloudSorcerer’s utilization of cloud services for its C2 infrastructure demonstrates a well-planned approach to cyber espionage targeting Russian government entities. The malware’s ability to dynamically adjust its behavior based on the context further complicates defense efforts against it.
Experts like Erich Kron, security awareness advocate at KnowBe4, highlighted the importance of monitoring outbound traffic in addition to inbound traffic to identify and block malicious activity effectively. Limiting access to websites used for command-and-control communication can help organizations mitigate the risk posed by threats like CloudSorcerer.
Overall, the emergence of CloudSorcerer underscores the evolving tactics and capabilities of cyber-espionage actors, requiring organizations to stay vigilant and adapt their defenses to mitigate the risks posed by such sophisticated threats.