CloudSorcerer – A new APT targeting Russian government entities
July 8, 2024, 7:55 p.m.
Tags
External References
Description
In May 2024, Kaspersky discovered a sophisticated cyberespionage tool called CloudSorcerer, targeting Russian government entities. This malware leverages cloud resources like Microsoft Graph, Yandex Cloud, and Dropbox as command-and-control (C2) servers, accessing them through APIs using authentication tokens. It also utilizes GitHub as its initial C2 server. CloudSorcerer employs inter-process communication through Windows pipes and adapts its behavior based on the running process, showcasing its advanced nature. While reminiscent of the CloudWizard APT, the code differs significantly, suggesting CloudSorcerer is likely a new actor inspired by similar techniques.
Date
Published: July 8, 2024, 7:18 p.m.
Created: July 8, 2024, 7:18 p.m.
Modified: July 8, 2024, 7:55 p.m.
Indicators
e4b2d8890f0e7259ee29c7ac98a3e9a5ae71327aaac658f84072770cf8ef02de
Attack Patterns
CloudSorcerer
CloudSorcerer
T1567
T1057
T1083
T1047
T1543
T1140
T1112
T1059
Additional Informations
Government
Russian Federation