An advanced persistent threat (APT) group, newly identified as CloudSorcerer, has been targeting Russian government entities by utilizing cloud services for command-and-control (C2) and data exfiltration operations.
Cybersecurity firm Kaspersky, which uncovered the activity in May 2024, noted that while the tactics of CloudSorcerer resemble those of the CloudWizard group, there are notable differences in the malware’s source code. The attacks involve a sophisticated data-gathering program and employ various evasion techniques to avoid detection.
“This is a sophisticated cyber espionage tool used for stealth monitoring, data collection, and exfiltration via Microsoft Graph, Yandex Cloud, and Dropbox cloud infrastructure,” said Kaspersky.
The malware leverages cloud resources for its C2 servers, accessing them through APIs with authentication tokens. Additionally, CloudSorcerer uses GitHub as its initial C2 server.
Although the exact infiltration method remains unknown, initial access is used to deploy a C-based portable executable binary that functions as a backdoor, initiates C2 communications, or injects shellcode into legitimate processes such as mspaint.exe, msiexec.exe, or processes containing the string “browser”.
“The malware’s ability to dynamically adapt its behavior based on the process it is running in, coupled with its use of complex inter-process communication through Windows pipes, further highlights its sophistication,” Kaspersky noted.
The backdoor component is designed to gather information about the victim’s machine, retrieve instructions to enumerate files and folders, execute shell commands, perform file operations, and run additional payloads.
The C2 module connects to a GitHub page acting as a dead drop resolver to fetch an encoded hex string pointing to the actual server hosted on Microsoft Graph or Yandex Cloud.
“Alternatively, instead of connecting to GitHub, CloudSorcerer also tries to obtain the same data from hxxps://my.mail[.]ru/, a Russian cloud-based photo hosting server,” Kaspersky said. “The name of the photo album contains the same hex string”.
“CloudSorcerer represents a sophisticated toolset targeting Russian government entities. Its use of cloud services such as Microsoft Graph, Yandex Cloud, and Dropbox for C2 infrastructure, along with GitHub for initial C2 communications, demonstrates a well-planned approach to cyber espionage,” Kaspersky concluded.