CloudSorcerer – A new APT targeting Russian government entities

July 8, 2024, 7:55 p.m.

Description

In May 2024, Kaspersky discovered a sophisticated cyberespionage tool called CloudSorcerer, targeting Russian government entities. This malware leverages cloud resources like Microsoft Graph, Yandex Cloud, and Dropbox as command-and-control (C2) servers, accessing them through APIs using authentication tokens. It also utilizes GitHub as its initial C2 server. CloudSorcerer employs inter-process communication through Windows pipes and adapts its behavior based on the running process, showcasing its advanced nature. While reminiscent of the CloudWizard APT, the code differs significantly, suggesting CloudSorcerer is likely a new actor inspired by similar techniques.

External References

https://securelist.com/cloudsorcerer-new-apt-cloud-actor/113056/
https://otx.alienvault.com/pulse/668c3b887a830af70aa08201
Tags
2024-07-08
github
c programming language
cloudsorcerer
ror14 algorithm
microsoft com object

Date

  • Created: July 8, 2024, 7:18 p.m.
  • Published: July 8, 2024, 7:18 p.m.
  • Modified: July 8, 2024, 7:55 p.m.

Indicators

  • e4b2d8890f0e7259ee29c7ac98a3e9a5ae71327aaac658f84072770cf8ef02de
Download all indicators here!

Attack Patterns

  • CloudSorcerer
  • CloudSorcerer
  • T1567
  • T1057
  • T1083
  • T1047
  • T1543
  • T1140
  • T1112
  • T1059

Additional Informations

  • Government
  • Russian Federation