In May 2024, we discovered a new advanced persistent threat (APT) targeting Russian government entities that we dubbed CloudSorcerer. It’s a sophisticated cyberespionage tool used for stealth monitoring, data collection, and exfiltration via Microsoft Graph, Yandex Cloud, and Dropbox cloud infrastructure. The malware leverages cloud resources as its command and control (C2) servers, accessing them through APIs using authentication tokens. Additionally, CloudSorcerer uses GitHub as its initial C2 server.
CloudSorcerer’s modus operandi is reminiscent of the CloudWizard APT that we reported on in 2023. However, the malware code is completely different. We presume that CloudSorcerer is a new actor that has adopted a similar method of interacting with public cloud services.
Our findings in a nutshell:
CloudSorcerer APT uses public cloud services as its main C2s
The malware interacts with the C2 using special commands and decodes them using a hardcoded charcode table.
The actor uses Microsoft COM object interfaces to perform malicious operations.
CloudSorcerer acts as separate modules (communication module, data collection module) depending on which process it’s running, but executes from a single executable.
Technical details
Initial start up
MD5
f701fc79578a12513c369d4e36c57224
SHA1
f1a93d185d7cd060e63d16c50e51f4921dd43723
SHA256
e4b2d8890f0e7259ee29c7ac98a3e9a5ae71327aaac658f84072770cf8ef02de
Link time
N/A
Compiler
N/A
File type
Windows x64 ex ..
Support the originator by clicking the read the rest link below.
