Kaspersky’s Global Research and Analysis Team (GReAT) has uncovered a new Advanced Persistent Threat (APT) group, dubbed CloudSorcerer, which has been actively targeting Russian government entities. This sophisticated cyberespionage tool exploits cloud services and GitHub as command and control (C2) servers, echoing techniques previously reported with the CloudWizard APT in 2023.
Despite the similarities to CloudWizard, also discovered by Kaspersky, CloudSorcerer employs a unique codebase and functionality, setting it apart as a distinct cyber threat actor. The group utilizes public cloud infrastructure, including Microsoft Graph, Yandex Cloud, and Dropbox, as its primary command and control (C2) servers. The malware interacts with C2 servers through APIs, employing authentication tokens retrieved from a seemingly legitimate GitHub page.
CloudSorcerer employs a multi-stage attack strategy. First, attackers manually deploy the malware onto a victim’s machine. On gaining access, CloudSorcerer adapts its functionality based on the process it infects. For instance, it may behave differently when running in mspaint.exe compared to msiexec.exe. To establish communication with its command and control center (C2), CloudSorcerer retrieves details, potentially a cloud storage location, from a GitHub page. This information is encoded within the page itself. Finally, the malware gathers system information and exfiltrates it to the designated cloud storage using the chosen cloud service's API.
Significantly, CloudSorcerer employs complex obfuscation and encryption techniques to avoid detection. It decodes commands using a hardcoded charcode table and manipulates Microsoft COM object interfaces to execute its malicious operations.
“The deployment of CloudSorcerer highlights a sophisticated use of public cloud services for espionage, illustrating how threat actors exploit these platforms to conceal their activities. By integrating legitimate cloud services into their operations, these actors not only enhance their ability to remain undetected but also leverage the robust infrastructure of these platforms to execute complex espionage operations effectively. Our ongoing analysis underlines the importance of recognizing and mitigating such stealth tactics in governmental and corporate cybersecurity strategies,” comments Sergey Lozhkin, principal cybersecurity researcher at Kaspersky’s GReAT.
Kaspersky continues to monitor and analyze CloudSorcerer among other cyber threats, ensuring that its cybersecurity solutions and threat intelligence remain up-to-date to address the latest challenges.
Read the full report on Securelist.
In order to avoid falling victim to a targeted attack by a known or unknown threat actor, Kaspersky researchers recommend implementing the following measures:
- Provide your SOC team with access to the latest threat intelligence (TI). Kaspersky Threat Intelligence is a single point of access for the company’s TI, providing it with cyberattack data and insights gathered by Kaspersky spanning over 20 years.
- Upskill your cybersecurity team to tackle the latest targeted threats with Kaspersky online training developed by GReAT experts
- For endpoint level detection, investigation, and timely remediation of incidents, implement EDR solutions such as Kaspersky Endpoint Detection and Response
- In addition to adopting essential endpoint protection, implement a corporate-grade security solution that detects advanced threats on the network level at an early stage, such as Kaspersky Anti Targeted Attack Platform
- As many targeted attacks start with phishing or other social engineering techniques, introduce security awareness training and teach practical skills to your team – for example, through the Kaspersky Automated Security Awareness Platform
