Carding Forum
Professional
- Messages
- 2,788
- Reaction score
- 1,178
- Points
- 113
Government agencies are facing a sophisticated cloud attack.
In May 2024, Russian government organizations faced a new, particularly complex cyberattack, which experts dubbed CloudSorcerer. This powerful cyber espionage tool is designed to discreetly monitor, collect, and display data through Microsoft Graph, Yandex Cloud, and Dropbox cloud services. What makes CloudSorcerer unique is that it uses these cloud platforms as command servers with which malware interacts via APIs and authentication tokens. Interestingly, the GitHub repository also acts as the initial team server.
CloudSorcerer resembles the APT threat of CloudWizard, identified in 2023. However, despite the similarity in the principle of operation, the new malware has a completely different code, which indicates the work of another hacker group using similar methods of interacting with cloud services.
CloudSorcerer Features
CloudSorcerer is a multi-layered threat, using public cloud services to manage and coordinate its operations. The malware communicates with command servers via special commands, which it decodes using a given character table. Attackers also use Microsoft COM object interfaces to perform malicious operations.
The functioning of CloudSorcerer depends on the process in which it is running. Initially representing a single binary file written in C, the program adapts its functionality depending on the running process. For example, when running in the process mspaint.exe CloudSorcerer acts as a backdoor, collecting data and executing malicious code. If the process — msiexec.exe, the malware initiates a communication module with the command server.
Technical Details
CloudSorcerer starts manually on an already infected computer. At startup, the malware calls the GetModuleFileNameA function to determine the name of the process in which it is running, and compares it with the specified set of strings: browser, mspaint.exe и msiexec.exe. Depending on the process name, CloudSorcerer activates various functions, such as data collection or communication with the command server.
The shellcode used to migrate a process demonstrates standard functions, including analyzing the process's operational Environment block (PEB) and embedding code in the target processes ' memory.
CloudSorcerer Backdoor Module
This module starts its work by collecting system information about the infected computer, including the computer name, user name, Windows version information,and system uptime. The collected data is stored in a specially created structure and transmitted via the named pipe \.\PIPE[1428] to the command server module process.
Command Server Module
At startup, the command Server module creates a new Windows channel and configures a connection to the initial command server. The program connects to a page on GitHub or a Russian cloud photo hosting service Mail.ru to get the encoded data. This data includes command instructions, which are then decrypted and executed.
Infrastructure and attribution
The GitHub page used for the initial data exchange was created in May 2024. Interestingly, the name of the repository is Alina Egorova, a common Russian name, although the photo shows a man. Similar methods were used on Mail.ru.
Conclusions
CloudSorcerer is a carefully designed cyber threat aimed at Russian government organizations. The use of cloud services for command servers and sophisticated inter-process communication methods emphasize the high level of training of cyber spies. Despite the similarities with CloudWizard, significant differences in the code point to the work of a new APT group, which was inspired by previously encountered methods, but created unique tools for attacking.
Source
In May 2024, Russian government organizations faced a new, particularly complex cyberattack, which experts dubbed CloudSorcerer. This powerful cyber espionage tool is designed to discreetly monitor, collect, and display data through Microsoft Graph, Yandex Cloud, and Dropbox cloud services. What makes CloudSorcerer unique is that it uses these cloud platforms as command servers with which malware interacts via APIs and authentication tokens. Interestingly, the GitHub repository also acts as the initial team server.
CloudSorcerer resembles the APT threat of CloudWizard, identified in 2023. However, despite the similarity in the principle of operation, the new malware has a completely different code, which indicates the work of another hacker group using similar methods of interacting with cloud services.
CloudSorcerer Features
CloudSorcerer is a multi-layered threat, using public cloud services to manage and coordinate its operations. The malware communicates with command servers via special commands, which it decodes using a given character table. Attackers also use Microsoft COM object interfaces to perform malicious operations.
The functioning of CloudSorcerer depends on the process in which it is running. Initially representing a single binary file written in C, the program adapts its functionality depending on the running process. For example, when running in the process mspaint.exe CloudSorcerer acts as a backdoor, collecting data and executing malicious code. If the process — msiexec.exe, the malware initiates a communication module with the command server.
Technical Details
CloudSorcerer starts manually on an already infected computer. At startup, the malware calls the GetModuleFileNameA function to determine the name of the process in which it is running, and compares it with the specified set of strings: browser, mspaint.exe и msiexec.exe. Depending on the process name, CloudSorcerer activates various functions, such as data collection or communication with the command server.
The shellcode used to migrate a process demonstrates standard functions, including analyzing the process's operational Environment block (PEB) and embedding code in the target processes ' memory.
CloudSorcerer Backdoor Module
This module starts its work by collecting system information about the infected computer, including the computer name, user name, Windows version information,and system uptime. The collected data is stored in a specially created structure and transmitted via the named pipe \.\PIPE[1428] to the command server module process.
Command Server Module
At startup, the command Server module creates a new Windows channel and configures a connection to the initial command server. The program connects to a page on GitHub or a Russian cloud photo hosting service Mail.ru to get the encoded data. This data includes command instructions, which are then decrypted and executed.
Infrastructure and attribution
The GitHub page used for the initial data exchange was created in May 2024. Interestingly, the name of the repository is Alina Egorova, a common Russian name, although the photo shows a man. Similar methods were used on Mail.ru.
Conclusions
CloudSorcerer is a carefully designed cyber threat aimed at Russian government organizations. The use of cloud services for command servers and sophisticated inter-process communication methods emphasize the high level of training of cyber spies. Despite the similarities with CloudWizard, significant differences in the code point to the work of a new APT group, which was inspired by previously encountered methods, but created unique tools for attacking.
Source
