CloudSorcerer is a newly identified APT targeting Russian government entities, leveraging cloud services (Microsoft Graph, Yandex Cloud, Dropbox) as its C2 and GitHub as an initial C2 channel. It operates as a modular backdoor that decodes commands via a hardcoded charcode table and communicates between modules using Windows pipes. #CloudSorcerer #RussianGovernment #MicrosoftGraph #YandexCloud #Dropbox #GitHub #APT
Keypoints
- CloudSorcerer targets Russian government entities and uses public cloud services as its main C2 infrastructure.
- Initial C2 channel is GitHub, with fallbacks to Mail.ru hosting for cloud control data.
- The malware is modular (communication module and data collection module) but runs from a single executable and uses Windows pipes for IPC.
- Process-name based behavior: backdoor functions for mspaint.exe, C2 module for msiexec.exe, and shellcode injection for browser-related execution.
- Decoding workflow: decodes commands via a hardcoded charcode table after parsing a hex string from GitHub/Mail.ru content.
- Cloud interactions hinge on bearer tokens and dynamic routing to Microsoft Graph, Yandex Cloud, or Dropbox via cloud APIs.
- Extensive use of COM interfaces, shellcode migration, and a wide set of host/registry/file operations to achieve espionage objectives.
MITRE Techniques
- [T1059.009] Command and Scripting Interpreter: Cloud API – Cloud API used to execute commands via cloud services. Quote: ‘The malware uses cloud resources as its C2 servers, accessing them through APIs using authentication tokens.’
- [T1559] Inter-Process Communication – Quote: ‘All data exchange between modules is organized through Windows pipes, a mechanism for inter-process communication.’
- [T1053] Scheduled Task/Job – Quote: ‘Creates a new Windows task and sets up a trigger for execution using COM objects.’
- [T1047] Windows Management Instrumentation – Quote: ‘The actor uses Windows COM object interfaces to perform malicious operations.’
- [T1543] Create or Modify System Process – Quote: ‘Create or Modify System Process.’
- [T1140] Deobfuscate/Decode Files or Information – Quote: ‘decodes the string using a hardcoded charcode substitution table.’
- [T1112] Modify Registry – Quote: ‘Modifies any Windows registry key.’
- [T1083] File and Directory Discovery – Quote: ‘Collect information about files and folders, such as name, size, and type.’
- [T1082] System Information Discovery – Quote: ‘Computer name; User name; Windows subversion information; System uptime.’
- [T1005] Data from Local System – Quote: ‘All the collected information or results of performed tasks are added to a specially created structure and sent to the C2 module process via a named pipe.’
- [T1102] Web Service – Quote: ‘The C2 module starts by creating a new Windows pipe… Next, it configures the connection to the initial C2 server…’
- [T1568] Dynamic Resolution – Quote: ‘The first decoded byte of the hex string is a magic number that tells the malware which cloud service to use.’
- [T1567] Exfiltration Over Web Service – Quote: ‘exfiltration via Microsoft Graph, Yandex Cloud, and Dropbox cloud infrastructure.’
- [T1537] Transfer Data to Cloud Account – Quote: ‘exfiltration via cloud services.’
Indicators of Compromise
- [File Hash] CloudSorcerer artifacts – F701fc79578a12513c369d4e36c57224
- [Domains and IPs] CloudSorcerer C2 – https://github.com/alinaegorovaMygit, https://my.mail.ru/yandex.ru/alinaegorova2154/photo/1
- [Yara Rule] Detect CloudSorcerer –
rule apt_cloudsorcerer { meta: description = “Detects CloudSorcerer” author = “Kaspersky” hash = “F701fc79578a12513c369d4e36c57224” strings: $str1 = “Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko” $str2 = “c:windowssystem32mspaint.exe” $str3 = “C:Windowssystem32msiexec.exe” $str4 = “.PIPE” condition: uint16(0) == 0x5A4D and all of ($str*) }
Read more: https://securelist.com/cloudsorcerer-new-apt-cloud-actor/113056/