CloudSorcerer – A new APT targeting Russian government entities

July 8, 2024, 7:55 p.m.

Description

In May 2024, Kaspersky discovered a sophisticated cyberespionage tool called CloudSorcerer, targeting Russian government entities. This malware leverages cloud resources like Microsoft Graph, Yandex Cloud, and Dropbox as command-and-control (C2) servers, accessing them through APIs using authentication tokens. It also utilizes GitHub as its initial C2 server. CloudSorcerer employs inter-process communication through Windows pipes and adapts its behavior based on the running process, showcasing its advanced nature. While reminiscent of the CloudWizard APT, the code differs significantly, suggesting CloudSorcerer is likely a new actor inspired by similar techniques.

Date

Published: July 8, 2024, 7:18 p.m.

Created: July 8, 2024, 7:18 p.m.

Modified: July 8, 2024, 7:55 p.m.

Indicators

e4b2d8890f0e7259ee29c7ac98a3e9a5ae71327aaac658f84072770cf8ef02de

Attack Patterns

CloudSorcerer

CloudSorcerer

T1567

T1057

T1083

T1047

T1543

T1140

T1112

T1059

Additional Informations

Government

Russian Federation