July 8, 2024 at 11:48AM
Kaspersky has reported a new advanced persistent threat (APT) actor named CloudSorcerer targeting Russian government entities for cyberespionage. The actor exfiltrates data using Dropbox, Microsoft Graph, and Yandex Cloud, while utilizing public cloud services for command-and-control infrastructure. This technique is different from that of the CloudWizard APT, leading Kaspersky to believe CloudSorcerer is a new actor.
From the meeting notes, it has been noted that a new advanced persistent threat (APT) actor named CloudSorcerer has been targeting Russian government entities for cyberespionage. This threat actor uses public cloud services for command-and-control (C&C) infrastructure and exfiltrates data using platforms such as Dropbox, Microsoft Graph, and Yandex Cloud.
The CloudSorcerer malware can function as a backdoor, initiate C&C communication, or attempt to inject shellcode into various processes on compromised machines. It can collect various information about victim computers and execute commands, tamper with files, and perform other malicious activities based on received commands.
The C&C communication module communicates with public cloud services to receive encoded commands, decode them, and send them to the backdoor module via a named pipe. Kaspersky researchers believe that CloudSorcerer is a new actor that has adopted the technique of interacting with public cloud services, and its activity appears distinct from previous threat actors like CloudWizard.
This information reveals the sophisticated nature of the cyberespionage activities carried out by CloudSorcerer, highlighting the importance of maintaining robust cybersecurity measures within the Russian government entities being targeted.