A new sophisticated cyber threat group named CloudSorcerer has been detected targeting Russian government entities. They are using cloud services for command-and-control (C2) operations and data exfiltration.
Kaspersky, a cybersecurity company that uncovered this activity in May 2024, found similarities between CloudSorcerer and another group called CloudWizard. However, they highlighted differences in the malware source code. The attacks involve a new data-gathering tool and various tactics to avoid detection.
Kaspersky mentioned, “It’s a sophisticated cyber espionage tool used for stealth monitoring, data collection, and exfiltration via Microsoft Graph, Yandex Cloud, and Dropbox cloud infrastructure.”
“The malware uses cloud resources as its command and control (C2) servers, accessing them through APIs using authentication tokens. Additionally, CloudSorcerer utilizes GitHub as its initial C2 server.”
The exact method of infiltrating targets is unknown, but initial access allows the deployment of a C-based executable binary as a backdoor. This backdoor can establish C2 communication, inject shellcode into other processes, and adapt its behavior based on the process it runs in.
Kaspersky pointed out, “The malware’s sophisticated behavior, along with its complex inter-process communication through Windows pipes, showcases its advanced nature.”
The backdoor is designed to collect information about the victim’s system, execute commands, perform file operations, and run additional payloads based on instructions received.
The C2 module connects to a GitHub page acting as a dead drop resolver to retrieve encoded data pointing to the actual servers hosted on Microsoft Graph or Yandex Cloud.
Kaspersky mentioned, “Instead of GitHub, CloudSorcerer also attempts to access the same data from hxxps://my.mail[.]ru/, a Russian cloud-based photo hosting service. The encoded data is hidden within the name of a photo album.”
“The CloudSorcerer malware is a sophisticated toolset aimed at Russian government entities. Its clever use of cloud services like Microsoft Graph, Yandex Cloud, and Dropbox for C2 infrastructure, along with GitHub for initial communication, demonstrates a well-thought-out approach to cyber espionage.”