HQ/EMEAFind out how we can help your business
The new CloudSorcerer advanced persistent threat (APT) group used public cloud services to steal data from Russian government enterprises during its cyberespionage campaigns.
Researchers claim this newly discovered APT group employs well-known malware that uses legitimate cloud services for C2 operations and data storage. The group’s method of operation is similar to that of the CloudWizard APT, but their malware is different.
Although the researchers did not explain how these attackers obtained initial access, they still disclosed how the threat actors manually executed the proprietary Windows backdoor. The explanation also includes that the malware behaves differently depending on where it was injected.
If the malware is operated within “mspaint.exe,” it functions as a backdoor, collecting data and executing code. However, if it is launched from within “msiexec.exe,” it first initiates C2 communication to accept execution commands.
The first communication is a request to a GitHub repository containing a hexadecimal string indicating which cloud provider, such as Microsoft Graph, Yandex Cloud, or Dropbox, to use for the C2 operations.
For processes that do not fit the hardcoded behaviour, the virus injects shellcode into the MSIexec, MSPaint, or Explorer process and terminates it.
Furthermore, the shellcode analyses the Process Environment Block (PEB) for Windows core DLL offsets, uses the ROR14 algorithm to identify required Windows APIs, and loads the CloudSorcerer code into the memory of the targeted processes.
The CloudSorcerer campaign could support various commands to execute its operation efficiently.
Some confirmed commands that the CloudSorcerer uses in their campaigns include command execution, copying, moving and deleting files, creating a process with COM interfaces, creating a new service or changing an existing one, and adding new network users or removing legitimate ones from the system.
Overall, the CloudSorcerer backdoor is a powerful tool that allows threat actors to execute malicious code on compromised devices. Researchers describe this APT group’s attacks as complex due to the malware’s dynamic adaptation and covert data exchange capabilities.
Organisations and researchers should be wary of this new threat, which shows a sophisticated capability that could be a huge threat to the cybersecurity landscape.
