A newly identified advanced persistent threat (ATP), dubbed CloudSorcerer, has been discovered targeting Russian government entities. This sophisticated espionage malware exhibits stealth monitoring, data collection, and exfiltration, utilising popular cloud services like Microsoft Graph, Yandex Cloud, and Dropbox as its command and control (C2) infrastructure.
Despite the technique’s resemblance to the previously reported CloudWizard APT, the distinct code observed by researchers suggests it is likely a new actor inspired by earlier methods by developing unique tools.
CloudSorcerer’s operation involves leveraging cloud resources as C2 servers, accessed through APIs using auth tokens. The malware initiates communication with these servers via GitHub, using it as its initial C2 server before migrating to other cloud services.
The attack begins with manually executing a single Portable Executable (PE) binary written in C on an already compromised machine. The malware adapts its functionality based on the process it inhabits:
- mspaint.exe: Functions as a backdoor, collecting data and executing code.
- msiexec.exe: Initiates C2 communication.
- Other processes: Attempt to inject shellcode into processes like msiexec.exe, mspaint.exe, or explorer.exe before terminating the original process.
“All the collected data is stored in a specially created structure. Once the information gathering is complete, the data is written to the named pipe \\.\PIPE\[1428] connected to the C2 module process. It is important to note that all data exchange is organised using well-defined structures with different purposes, such as backdoor command structures and information gathering structures,” said researchers.
The shellcode used by CloudSocerer involves:
- Parsing the Process Environment Block (PEB) to locate necessary Windows core DLLs.
- Identifying required Window APIs using the ROR14 hashing algorithm.
- Mapping the CloudSocerer code into the memory of the targeted process and running it in a separate thread.
Researchers discovered that the malware employs Windows pipes for inter-process communication, allowing data transfer between its modules. They also discovered that the backdoor module collects comprehensive system information, including the computer name, user name, Windows version, and system uptime.
Furthermore, the malware executes commands based on the received COMMAND_ID, which includes actions like data collection, file manipulation, and shellcode injection.
The C2 module starts by creating a Windows pipe named \.\PIPE[1428], which connects to the initial C2 server hosted on GitHub, passing the HTML page for a specific hex string marked by the ‘CODY’ pattern. The C2 server decodes this string using a hardcoded charcode substitution table, determining the cloud service to use based on the first byte.
After this, the server authenticates and interacts with the selected cloud series using bearer tokens and specific API paths.
Researchers found that the malware infrastructure includes a GitHub page for initial C2 communications with repositories forked to make the page appear legitimate. Mail.ru Photo Hosting is an alternative data source, hosting encoded strings for C2 communication.
The discovery of CloudSorcerer underscores the evolving sophistication of cyberespionage tools targeting high-value entities.
In the News: 8849 unveils Tank 3S with a projector at $469.9
