July 8, 2024 at 11:17AM
CloudSorcerer, a new APT group discovered by Kaspersky, uses custom malware to steal data from Russian government organizations via cloud services. The malware’s behavior varies based on its injection point within the system, allowing it to collect data and execute commands. Kaspersky characterizes the attacks as highly sophisticated, with IoC and Yara rules available for detection.
Based on the meeting notes, the key takeaways are:
1. A new advanced persistent threat (APT) group, named CloudSorcerer, has been discovered by Kaspersky security researchers in May 2024. This group abuses public cloud services to steal data from Russian government organizations in cyberespionage attacks.
2. CloudSorcerer uses custom malware that leverages legitimate cloud services for command and control (C2) operations and data storage.
3. While the modus operandi of CloudSorcerer is similar to that of CloudWizard APT, their malware is distinct, indicating a new threat actor.
4. The CloudSorcerer malware has specific behaviors depending on where it has been injected, such as “mspaint.exe” or “msiexec.exe,” and employs dynamic adaptation and covert data communication mechanisms, making the attacks highly sophisticated.
5. Kaspersky has provided indicators of compromise (IoC) and Yara rules for detecting the CloudSorcerer malware in their report.
The meeting notes provide comprehensive details about the CloudSorcerer threat and its malicious activities, as well as the detection resources available.