Kaspersky’s Global Research and Analysis Team (GReAT) has uncovered a new Advanced Persistent Threat (APT) group, dubbed CloudSorcerer, which has been actively targeting Russian government entities. This sophisticated cyberespionage tool exploits cloud services and GitHub as command and control (C2) servers, echoing techniques previously reported with the CloudWizard APT in 2023.
Despite the similarities to CloudWizard, also discovered by Kaspersky, CloudSorcerer employs a unique codebase and functionality, setting it apart as a distinct cyber threat actor. The group utilizes public cloud infrastructure, including Microsoft Graph, Yandex Cloud, and Dropbox, as its primary command and control (C2) servers. The malware interacts with C2 servers through APIs, employing authentication tokens retrieved from a seemingly legitimate GitHub page.
CloudSorcerer employs a multi-stage attack strategy. First, attackers manually deploy the malware onto a victim’s machine. On gaining access, CloudSorcerer adapts its functionality based on the process it infects. For instance, it may behave differently when running in mspaint.exe compared to msiexec.exe. To establish communication with its command and control center (C2), CloudSorcerer retrieves details, potentially a cloud storage location, from a GitHub page. This information is encoded within the page itself. Finally, the malware gathers system information and exfiltrates it to the designated cloud storage using the chosen cloud service’s API.
Significantly, CloudSorcerer employs complex obfuscation and encryption techniques to avoid detection. It decodes commands using a hardcoded charcode table and manipulates Microsoft COM object interfaces to execute its malicious operations.
“The deployment of CloudSorcerer highlights a sophisticated use of public cloud services for espionage, illustrating how threat actors exploit these platforms to conceal their activities. By integrating legitimate cloud services into their operations, these actors not only enhance their ability to remain undetected but also leverage the robust infrastructure of these platforms to execute complex espionage operations effectively. Our ongoing analysis underlines the importance of recognizing and mitigating such stealth tactics in governmental and corporate cybersecurity strategies,” comments Sergey Lozhkin, principal cybersecurity researcher at Kaspersky’s GReAT.
