EastWind was a July 2024 campaign targeting Russian government and IT firms, delivered via phishing emails with malicious shortcut files that install malware communicating through Dropbox. The operation deployed GrewApacha, an updated CloudSorcerer backdoor, and a new PlugY implant, with collaboration between APT27 and APT31 and use of multiple C2 channels and loading techniques. #EastWind #GrewApacha #CloudSorcerer #PlugY #APT27 #APT31 #Dropbox #GitHub #Quora #LiveJournal
Keypoints
- EastWind targeted dozens of Russian state organizations and IT companies in mid-2024.
- Phishing emails with malicious shortcut files were used to infect devices, with RAR archives disguising legitimate documents.
- The malware communicated with C2 servers via Dropbox and used cloud storage for command and control.
- Core implants included GrewApacha (GrewApacha RAT) and an updated CloudSorcerer backdoor, plus a new PlugY implant with multiple protocols.
- A new PlugY implant shares code and architecture with DRBControl/PluGX-era tools, and uses three communication methods (TCP, UDP, Named pipes).
- Collaboration between APT27 and APT31 was observed in this campaign, with tool sharing and joint usage.
MITRE Techniques
- [T1566] Phishing – “phishing emails with malicious shortcut files to install malware” used to gain initial access.
- [T1071.001] Cloud Storage – “Malware communicated with command and control servers using Dropbox.”
- [T1073] DLL Sideloading – “DLL sideloading technique was used to execute malicious payloads.”
- [T1219] Remote Access Tools – “Use of RATs like GrewApacha to gather information and install additional malware.”
- [T1003] Credential Dumping – “Malware attempted to collect credentials from infected systems.”
- [T1059.003] Command and Scripting Interpreter – “shell command used to orchestrate file moves and launch dropped payloads.”
- [T1113] Screen Capture – “takes screenshots of the screen” to observe user activity.
- [T1056.001] Input Capture (Keylogging) – “logging keystrokes” to monitor user input.
Indicators of Compromise
- [Domain] update.studiokaspersky[.]com – C2 server used by the CloudSorcerer-related implants.
- [MD5] 1f5c0e926e548de43e0039858de533fc, d0f7745c80baf342cd218cf4f592ea00 – MD5 hashes for dropped DLLs/ payload components.
- [SHA1] 426bbf43f783292743c9965a7631329d77a51b61, fccdc059f92f3e08325208f91d4e6c08ae646a78 – SHA-1 hashes for key payloads.
- [SHA256] 668f61df2958f30c6a0f1356463e14069b3435fb4e8417a948b6738f5f340dd9, e2f87428a855ebc0cda614c6b97e5e0d65d9ddcd3708fd869c073943ecdde1c0 – SHA-256 hashes for backdoor components.
- [File Name] desktop.exe, VERSION.dll – dropped/loading components used in DLL sideloading via con file.
- [File Name] WinDRMs.exe (renamed from dbgsrv.exe), dbgeng.dll, and an .ini payload – auxiliary backdoor/loader set for PlugY deployment.
- [Directory] C:ProgramDataMicrosoftDRM – persistence/dropper location for the new implant set.
Read more: https://securelist.ru/eastwind-apt-campaign/110020/