EastWind campaign: new CloudSorcerer attacks on government organizations in Russia

Aug. 14, 2024, 3:45 p.m.

Description

Kaspersky detected an ongoing targeted cyberattack campaign, dubbed EastWind, targeting Russian government organizations and IT companies. The attackers employed phishing emails with malicious shortcuts to deliver malware that communicated via Dropbox. They utilized tools associated with APT31 and deployed an updated version of the CloudSorcerer backdoor, which now uses LiveJournal and Quora profiles as initial C2 servers. Additionally, a new implant called PlugY, bearing resemblance to the DRBControl backdoor linked to APT27, was employed.

Date

  • Created: Aug. 14, 2024, 3:32 p.m.
  • Published: Aug. 14, 2024, 3:32 p.m.
  • Modified: Aug. 14, 2024, 3:45 p.m.

Indicators

  • e2f87428a855ebc0cda614c6b97e5e0d65d9ddcd3708fd869c073943ecdde1c0
  • bd747692ab5db013cd4c4cb8ea9cafa7577c95bf41aa2629a7fea875f6dcbc41
  • 668f61df2958f30c6a0f1356463e14069b3435fb4e8417a948b6738f5f340dd9
  • 5071022aaa19d243c9d659e78ff149fe0398cf7d9319fd33f718d8e46658e41c
  • 0aa627736df73c543c26c3f033f1962282dd005e6a0ec8d9357df3511b2fc8a6

Attack Patterns

  • PlugY
  • CloudSorcerer
  • GrewApacha
  • T1022
  • T1018
  • T1012
  • T1105
  • T1036
  • T1027
  • T1053
  • T1056
  • T1195
  • T1003
  • T1059

Additional Informations

  • Russian Federation