UPDATED 19:38 EDT / JULY 08 2024

SECURITY

New APT group CloudSorcerer uses cloud services to target Russian government entities

Security researchers at Securelsit by Kaspersky today detailed a new advanced persistent threat group that’s targeting Russian government entities in what appears to be another uptick in geopolitical-linked hacking.

Dubbed CloudSorcerer, the group uses a sophisticated cyber espionage tool for stealth monitoring, data collection and exfiltration via Microsoft Graph, Yandex Cloud and Dropbox cloud infrastructure. The malware leverages cloud resources as its command and control servers, accessing them through application programming interfaces using authentication tokens.

CloudSorcerer’s operations are said to resemble those of the CloudWizard APT from 2023. CloudWizard was notably an APT campaign used to target Russian-occupied areas of Ukraine and related entities.

However, there are also some key differences between the two. CloudSorcerer uses separate modules depending on the process it runs, which include communication and data collection models. The malware uses Windows pipes for inter-process communication and adapts its functionality based on the process name.

The malware collects system information and sends it to a command and control module. It can execute different comments, such as collecting system information, manipulating files, executing shell commands and creating processes using COM interfaces.

CloudSorcerer uses GitHub and Mail.ru for initial communications and uses encoded strings to interact with cloud services. It then uses Yandex Cloud, Microsoft Graph and Dropbox for data exfiltration and command execution.

Despite the similarities to CloudWizard, the researchers note, there are distinct differences in code and functionality, suggesting that CloudSorcerer is likely a new actor using similar techniques but developing unique tools.

The report does not speculate who might be behind CloudSorcerer, but if it’s not the Ukrainians, it’s likely a Western country and the most likely would be the U.S.

“It’s always interesting to see attacks focused on those that we tend to expect attacks from,” Erich Kron, security awareness advocate at security awareness training company KnowBe4 Inc., told SiliconANGLE. “This is an example of the fact that cyberthreats, including espionage, are a global issue, not just one focused on North America or European entities.”

This malware works differently based on the program from which it is executed, Kron explained. “While the initial C2 communication starting with GitHub is not unusual, it is a lesson in the importance of limiting outbound traffic from networks, as opposed to just inbound traffic,” he said. “If most of the people within an organization have no need to access a commonly used website for command-and-control traffic such as this, it makes sense to block this traffic.”

Image: SiliconANGLE/GPT-4o

A message from John Furrier, co-founder of SiliconANGLE:

Your vote of support is important to us and it helps us keep the content FREE.

One click below supports our mission to provide free, deep, and relevant content.  

Join our community on YouTube

Join the community that includes more than 15,000 #CubeAlumni experts, including Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger, and many more luminaries and experts.

“TheCUBE is an important partner to the industry. You guys really are a part of our events and we really appreciate you coming and I know people appreciate the content you create as well” – Andy Jassy

THANK YOU