A new cyber-espionage actor is targeting government organizations in the Russian Federation with a sophisticated piece of malware that can adapt its behavior based on its execution environment.
The advanced persistent threat (APT) group, which researchers at Kaspersky are tracking as “CloudSorcerer,” has an operational style that is akin to that used by “CloudWizard” another APT that the security vendor spotted last year also targeting Russian entities.
Hiding in the Cloud
Like CloudWizard, the new threat group too heavily leverages public cloud services for command and control (C2) and other purposes. It also appears to be going after the same targets. But CloudSorcerer’s eponymously named malware is entirely different from that of CloudWizard, making it more than likely that the former is a new cyber-espionage actor that’s merely using the same tactics as the latter, Kaspersky said in a report this week.
“While there are similarities in modus operandi to the previously reported CloudWizard APT, the significant differences in code and functionality suggest that CloudSorcerer is likely a new actor, possibly inspired by previous techniques but developing its own unique tools,” Kaspersky said.
CloudSorcerer’s primary malware tool can perform multiple functions that include covert monitoring and data collection on compromised systems, and data exfiltration using legitimate cloud services such as Microsoft Graph API, Dropbox and Yandex cloud. CloudSorcerer also uses cloud services to host its command-and-control servers, which the malware then accesses through application programming interfaces APIs).
CloudSorcerer: A Sneaky Malware
The threat actors have been distributing CloudSorcerer as a single executable file that however can operate as two separate modules—a data collection module and a communication module—depending on the execution content. The goal in distributing the malware in this fashion is to make it both easier to deploy and to hide.
“The malware is executed manually by the attacker on an already infected machine,” according to Kaspersky. “It is initially a single Portable Executable (PE) binary written in C.”
Its functionality varies depending on the process in which it is executed. Upon execution, the malware calls the GetModuleFileNameA function to check which process it is running on. If the process happens to be mspaint.exe the malware functions as a back door and collects a variety of malicious functions including code execution and data collection.
The data that CloudSorcerer collects includes computer name, username, Windows version information and system uptime. The malware then sends the data to the C2 server. Depending on the response from the C2 server, the backdoor then executes one of multiple commands including those that instruct it to collect information from hard drives on the system; collect data from files and folders; execute shell commands; and to create and write data to any file on the compromised system.
The malware’s backdoor functionality also includes the ability to create processes for running malicious binaries, creating processes as a dedicated user, getting and stopping tasks, creating and changing services, deleting values from Windows registries, and modifying registry keys. When CloudSorcerer first executes, it communicates with an initial C2 server on GitHub, which is basically a webpage that contains instructions on the next sequence of steps the malware needs to take, Kaspersky said.
Paying Attention to Outbound Traffic
The practice by attackers of leveraging public cloud services to host C2 infrastructure, and distribute malware and other components of an attack chain is not new. Services like Microsoft Graph API and GitHub in particular have become popular among threat actors looking to sneak malware and malicious activity past enterprise defense mechanisms. Even so, the growing sophistication of attacks leveraging such services present a challenge for organizations.
“The CloudSorcerer malware represents a sophisticated toolset targeting Russian government entities,” Kaspersky noted. “Its use of cloud services such as Microsoft Graph, Yandex Cloud, and Dropbox for C2 infrastructure, along with GitHub for initial C2 communications, demonstrates a well-planned approach to cyber espionage.” Adding to the challenge is CloudSorcerer’s ability to dynamically adapt its behavior based on process context, Kaspersky noted.
Erich Kron, security awareness advocate at KnowBe4, said the new campaign shows why organizations cannot stop with monitoring only what’s coming into the network.
“While the initial C2 communication starting with GitHub is not unusual, it is a lesson in the importance of limiting outbound traffic from networks,” as well, he said in an emailed comment. “If most of the people within an organization have no need to access a commonly used website for command-and-control traffic such as this, it makes sense to block this traffic.”
Source: www.darkreading.com