A newly identified CloudSorcerer APT group has been exploiting popular cloud services and GitHub for command-and-control (C2) servers, leveraging the vast data and intellectual property stored on these platforms.
According to cybersecurity analysts at Kaspersky Lab, the CloudSorcerer group has been active since May 2024, primarily targeting Russian government institutions. The group uses Microsoft Graph, Yandex.Cloud, Dropbox, and GitHub as their C2 infrastructure for sophisticated cyber espionage.
The C2 channels utilize APIs with authorization tokens, comprising two main modules for communication and data collection. The malware relies on COM object interfaces for malicious activities and a pre-defined charcode table to decode commands.
CloudSorcerer is a C-based PE binary that adapts its behavior based on the executing process. For instance, when run under mspaint.exe, it functions as a backdoor for data collection and code execution. Conversely, it injects shellcode into specific processes when not under msiexec.exe.
The malware gathers system information, performs file operations, injects shellcode, maps PE files, and uses Windows pipes for inter-process communication to send collected data to the C2 module. It can start its C2 operations using a GitHub page or a Russian cloud photo server.
Our experts uncovered #CloudSorcerer, a new APT group actively targeting Russian government entities.
This sophisticated cyberespionage tool used for stealth monitoring, data collection, and exfiltration exploits cloud services and #GitHub as its command and control (C2)… pic.twitter.com/o4SjVPxWWj
— Kaspersky (@kaspersky) July 10, 2024
CloudSorcerer’s ability to impersonate legitimate traffic while switching between cloud services for its C2 operations makes it particularly insidious. The C2 module connects to cloud APIs using internet functions and decoded authentication tokens, enabling asynchronous communication with the backdoor module.
This sophisticated attack highlights the importance of securing cloud configurations and repositories against such threats. Organizations must stay vigilant and update their security measures to defend against these advanced persistent threats.
Abdul Rehman
Abdul is a tech-savvy, coffee-fueled, and creatively driven marketer who loves keeping up with the latest software updates and tech gadgets. He's also a skilled technical writer who can explain complex concepts simply for a broad audience. Abdul enjoys sharing his knowledge of the Cloud industry through user manuals, documentation, and blog posts.
