A new advanced persistent threat (APT) actor has been observed targeting Russian government entities for cyberespionage, according to a new report from Russian security vendor Kaspersky.
Dubbed CloudSorcerer, Kaspersky said the threat actor has exfiltrated data using Dropbox, Microsoft Graph, and Yandex Cloud, while relying on public cloud services for command-and-control (C&C) infrastructure.
According to the company’s documentation, the APT executes the CloudSorcerer malware manually on compromised machines. Depending on the process it is running in, the malware can function as a backdoor, initiates the C&C communication module, or attempts to inject shellcode into explorer.exe, msiexec.exe, or mspaint.exe.
The backdoor module collects various types of information about the victim computer, including machine name, user name, Windows information, and system uptime. The data is stored in a specially created structure and written to a named pipe connected to the communication module.
“It is important to note that all data exchange is organized using well-defined structures with different purposes, such as backdoor command structures and information gathering structures,” Kaspersky said.
Based on commands received through the same named pipe, the malware can collect additional information, can execute shell commands, tamper with files, and inject shellcode into processes.
Additional functionality is available upon receiving a specific command ID, such as create processes, clear DNS cache, tamper with Windows tasks, services, ad registries, create/delete users, disconnect network resources, tamper with files, and collect network information.
The C&C communication module was seen initiating an initial connection to a GitHub page containing forks of three public projects, or to the Russian cloud-based photo hosting server my.mail[.]ru. Both pages contain the same encoded string.
According to Kaspersky, the C&C module “interacts with the cloud services by reading data, receiving encoded commands, decoding them using the character code table, and sending them via the named pipe to the backdoor module”.
The use of public cloud infrastructure for C&C was the modus operandi of the CloudWizard APT, a threat actor detailed last year, but CloudSorcerer’s activity appears distinct, Kaspersky says.
“The likelihood of attributing CloudSorcerer to the same actor is low, as the code and overall functionality of the malware are different. We therefore assume at this point that CloudSorcerer is a new actor that has adopted the technique of interacting with public cloud services,” Kaspersky researchers added.
Related: Multiple Chinese APTs Targeted Southeast Asian Government for Two Years
Related: Iranian APT Targets Israeli Education, Tech Sectors With New Wipers
Related: Russian APT29 Hackers Caught Targeting German Political Parties
