BREAKING AT&T Data Breach: ‘Nearly All’ Wireless Customers Exposed in Massive Hack
Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cloud Security

Kaspersky Flags Cyberespionage APT ‘CloudSorcerer’ Targeting Russian Government

Kaspersky said the CloudSorcerer APT has been abusing public cloud services to exfiltrate data from Russian government entities.

A new advanced persistent threat (APT) actor has been observed targeting Russian government entities for cyberespionage, according to a new report from Russian security vendor Kaspersky.

Dubbed CloudSorcerer, Kaspersky said the threat actor has exfiltrated data using Dropbox, Microsoft Graph, and Yandex Cloud, while relying on public cloud services for command-and-control (C&C) infrastructure.

According to the company’s documentation, the APT executes the CloudSorcerer malware manually on compromised machines. Depending on the process it is running in, the malware can function as a backdoor, initiates the C&C communication module, or attempts to inject shellcode into explorer.exe, msiexec.exe, or mspaint.exe.

The backdoor module collects various types of information about the victim computer, including machine name, user name, Windows information, and system uptime. The data is stored in a specially created structure and written to a named pipe connected to the communication module.

“It is important to note that all data exchange is organized using well-defined structures with different purposes, such as backdoor command structures and information gathering structures,” Kaspersky said.

Based on commands received through the same named pipe, the malware can collect additional information, can execute shell commands, tamper with files, and inject shellcode into processes.

Additional functionality is available upon receiving a specific command ID, such as create processes, clear DNS cache, tamper with Windows tasks, services, ad registries, create/delete users, disconnect network resources, tamper with files, and collect network information.

The C&C communication module was seen initiating an initial connection to a GitHub page containing forks of three public projects, or to the Russian cloud-based photo hosting server my.mail[.]ru. Both pages contain the same encoded string.

Advertisement. Scroll to continue reading.

According to Kaspersky, the C&C module “interacts with the cloud services by reading data, receiving encoded commands, decoding them using the character code table, and sending them via the named pipe to the backdoor module”.

The use of public cloud infrastructure for C&C was the modus operandi of the CloudWizard APT, a threat actor detailed last year, but CloudSorcerer’s activity appears distinct, Kaspersky says.

“The likelihood of attributing CloudSorcerer to the same actor is low, as the code and overall functionality of the malware are different. We therefore assume at this point that CloudSorcerer is a new actor that has adopted the technique of interacting with public cloud services,” Kaspersky researchers added.

Related: Multiple Chinese APTs Targeted Southeast Asian Government for Two Years

Related: Iranian APT Targets Israeli Education, Tech Sectors With New Wipers

Related: Russian APT29 Hackers Caught Targeting German Political Parties

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Learn how to utilize tools, controls, and design models needed to properly secure cloud environments.

Register

Event: ICS Cybersecurity Conference

The leading industrial cybersecurity conference for Operations, Control Systems and IT/OT Security professionals to connect on SCADA, DCS PLC and field controller cybersecurity.

Register

People on the Move

ICS and OT cybersecurity solutions provider TXOne Networks appoints Stephen Driggers as new CRO

Identity orchestration provider Strata Identity appoints Aldo Pietropaolo as Field CTO

Cybersecurity provider for the aviation industry Cyviation has appointed Eliran Almog as Chief Executive Officer.

More People On The Move

Expert Insights