Security researchers discovered a new sophisticated cyberespionage tool targeting Russian government entities in May 2024. The tool, dubbed CloudSorcerer, exploits popular cloud infrastructure services such as Microsoft Graph, Yandex Cloud and Dropbox for use as command and control (C2) servers for stealth monitoring, data collection and exfiltration operations.

Technical Details of CloudSorcerer Campaign

Researchers from Kaspersky believe that a new APT group is behind the CloudSorcerer malware. The malware is a single Portable Executable (PE) binary written in the C language and adjusts Its functionality depending on the process from which it is executed. Upon execution, the malware calls the GetModuleFileNameA function to determine the name of the process from which it has been run and then compares these process names to a set of hardcoded strings indicating browser, mspaint.exe, and msiexec.exe identifiers. The malware activates different functions depending upon the identified process name:

• In mspaint.exe: Acts as a backdoor within the program to collect data and execute code.
• In msiexec.exe: Initiates C2 communication.
• In browser or other detected processes: Injects shellcode into targeted processes before terminating.

The malware's backdoor module begins by collecting system information about the victim machine, while running in a separate thread. This information includes computer name, user name, Windows subversion information, and system uptime. All the collected data is stored in a specially created structure. Once the information gathering is complete, the data is written to the named pipe \.\PIPE[1428] connected to the C2 module process. It then executes various commands based on received instructions, such as gathering drive information, collecting file and folder data, executing shell commands, manipulating files, injecting shellcode into processes, running advanced tasks like creating processes, modifying registry keys and managing network users. These commands are specified under a unique COMMAND_ID for each operation within the malware program: [caption id="attachment_80799" align="alignnone" width="863"] Source: securelist.com (Kaspersky)[/caption]

0x1 – Collect information about hard drives in the system, including logical drive names, capacity, and free space. 0x2 – Collect information about files and folders, such as name, size, and type. 0x3 – Execute shell commands using the ShellExecuteExW API. 0x4 – Copy, move, rename, or delete files. 0x5 – Read data from any file. 0x6 – Create and write data to any file. 0x8 – Receive a shellcode from the pipe and inject it into any process by allocating memory and creating a new thread in a remote process. 0x9 – Receive a PE file, create a section and map it into the remote process. 0x7 – Run additional advanced functionality.

The researchers also observed the use of Github pages as C2 servers, stealthily hidden as hex code within the author section of the profile. These profiles contained forks of public legitimate code repositories without any modification or changes to appear legitimate. The same hex string was also observed hidden within the names of public photo albums hosted on the Russian album-sharing service, https://my.mail[.]ru. Associated profiles on both services contained a photo of a male from a public photo bank. [caption id="attachment_80806" align="aligncenter" width="253"] Source: securelist.com (Kaspersky)[/caption] The malware picks up hex strings from these sources, breaking them into segments that represent different instructions. The first segment of the decoded hex string indicates the cloud service intended for malware usage. Example, a byte value of “1” represents Microsoft Graph cloud, byte “0” represents Yandex cloud. The segments that follow form a string used to authenticate various different cloud APIs, as well as a subset of functions for specific interactions with the selected cloud services.

Similarity to CloudWizard APT Campaign

While there researchers noted similarities in the campaign's modus operandi and tactics to the previously known CloudWizard APT group, they state that the significant differences in code and functionality in the malware used by both groups suggest that CloudSorcerer is likely from the work of a newer APT developing its own unique tools. The CloudSorcerer campaign represents the use of sophisticated operations against Russian government entities. Its use of popular cloud services such as Microsoft Graph, Yandex Cloud, and Dropbox for C2 infrastructure, along with GitHub and MyMail photo albums for initial C2 communications, demonstrates a well-organized approach to espionage. The malware’s ability to dynamically adapt its behavior depending upon the infected process along with its complex use of Windows pipes, further highlights its intricacy. The researchers have shared a list of indicators of compromise (IOCs) to help protect against deployment of the CloudSorcerer malware.