EastWind campaign: new CloudSorcerer attacks on government organizations in Russia

Aug. 14, 2024, 3:45 p.m.

Tags
rat
phishing
spyware
dll sideloading
cloudsorcerer
2024-08-14
plugy
grewapacha
External References
Description

Kaspersky detected an ongoing targeted cyberattack campaign, dubbed EastWind, targeting Russian government organizations and IT companies. The attackers employed phishing emails with malicious shortcuts to deliver malware that communicated via Dropbox. They utilized tools associated with APT31 and deployed an updated version of the CloudSorcerer backdoor, which now uses LiveJournal and Quora profiles as initial C2 servers. Additionally, a new implant called PlugY, bearing resemblance to the DRBControl backdoor linked to APT27, was employed.

Date

Published: Aug. 14, 2024, 3:32 p.m.

Created: Aug. 14, 2024, 3:32 p.m.

Modified: Aug. 14, 2024, 3:45 p.m.

Indicators

e2f87428a855ebc0cda614c6b97e5e0d65d9ddcd3708fd869c073943ecdde1c0

bd747692ab5db013cd4c4cb8ea9cafa7577c95bf41aa2629a7fea875f6dcbc41

668f61df2958f30c6a0f1356463e14069b3435fb4e8417a948b6738f5f340dd9

5071022aaa19d243c9d659e78ff149fe0398cf7d9319fd33f718d8e46658e41c

0aa627736df73c543c26c3f033f1962282dd005e6a0ec8d9357df3511b2fc8a6

Download all indicators here!

Attack Patterns

PlugY

CloudSorcerer

GrewApacha

T1022

T1018

T1012

T1105

T1036

T1027

T1053

T1056

T1195

T1003

T1059

Additional Informations

Russian Federation