EastWind campaign: new CloudSorcerer attacks on government organizations in Russia

Aug. 14, 2024, 3:45 p.m.

Description

Kaspersky detected an ongoing targeted cyberattack campaign, dubbed EastWind, targeting Russian government organizations and IT companies. The attackers employed phishing emails with malicious shortcuts to deliver malware that communicated via Dropbox. They utilized tools associated with APT31 and deployed an updated version of the CloudSorcerer backdoor, which now uses LiveJournal and Quora profiles as initial C2 servers. Additionally, a new implant called PlugY, bearing resemblance to the DRBControl backdoor linked to APT27, was employed.

External References

https://securelist.com/eastwind-apt-campaign/113345/
https://otx.alienvault.com/pulse/66bcce0ea0d551ab5c02d0ba
Tags
rat
phishing
spyware
dll sideloading
cloudsorcerer
2024-08-14
plugy
grewapacha

Date

  • Created: Aug. 14, 2024, 3:32 p.m.
  • Published: Aug. 14, 2024, 3:32 p.m.
  • Modified: Aug. 14, 2024, 3:45 p.m.

Indicators

  • e2f87428a855ebc0cda614c6b97e5e0d65d9ddcd3708fd869c073943ecdde1c0
  • bd747692ab5db013cd4c4cb8ea9cafa7577c95bf41aa2629a7fea875f6dcbc41
  • 668f61df2958f30c6a0f1356463e14069b3435fb4e8417a948b6738f5f340dd9
  • 5071022aaa19d243c9d659e78ff149fe0398cf7d9319fd33f718d8e46658e41c
  • 0aa627736df73c543c26c3f033f1962282dd005e6a0ec8d9357df3511b2fc8a6
Download all indicators here!

Attack Patterns

  • PlugY
  • CloudSorcerer
  • GrewApacha
  • T1022
  • T1018
  • T1012
  • T1105
  • T1036
  • T1027
  • T1053
  • T1056
  • T1195
  • T1003
  • T1059

Additional Informations

  • Russian Federation