A new advanced persistent threat (APT) group named CloudSorcerer abuses public cloud services to steal data from Russian government organizations in cyberespionage attacks.

Kaspersky security researchers discovered the cyberespionage group in May 2024. They report that CloudSorcerer uses custom malware that uses legitimate cloud services for command and control (C2) operations and data storage.

Kaspersky notes that CloudSorcerer’s modus operandi is similar to CloudWizard APT’s, but their malware is distinct, leading security researchers to believe this is a new threat actor.

CloudSorcerer malware details

While Kaspersky does not explain how the threat actors initially breach a network, they say they execute the custom Windows backdoor manually.

The malware has a process-specific behavior depending on where it has been injected, which it determines using ‘GetModuleFileNameA.’

If executed from within “mspaint.exe,” it acts as a backdoor, collecting data and executing code. However, if it is launched within “msiexec.exe,” it first initiates C2 communication to receive commands to execute.

The initial communication is a request to a GitHub repository (up at the time of writing) that contains a hexadecimal string that determines which cloud service to use for further C2 operations: Microsoft Graph, Yandex Cloud, or Dropbox.

For processes that don’t match any hardcoded behavior, the malware injects shellcode into the MSIexec, MSPaint, or Explorer process and terminates the initial process.

The shellcode parses the Process Environment Block (PEB) to identify Windows core DLL offsets, identifies required Windows APIs using the ROR14 algorithm, and maps the CloudSorcerer code into the memory of targeted processes.

Data exchange between modules is organized through Windows pipes for seamless inter-process communication.

The backdoor module, which performs the data theft, collects system information such as computer name, user name, Windows subversion, and system uptime.

It also supports a range of commands retrieved from the C2, including:

• Shell command execution using the ‘ShellExecuteExW’ API
• Copy, move, rename, or delete files
• Receive a shellcode from the pipe and inject it into any process by allocating memory and creating a new thread in a remote process
• Receive a PE file, create a section, and map it into the remote process
• Create a process using COM interfaces
• Create a process as a dedicated user
• Create a new service or modify an existing service
• Add new network users or remove legitimate users from the system

Overall, the CloudSorcerer backdoor is a potent tool that enables the threat actors to perform malicious actions on the infected machines.

Kaspersky characterizes the CloudSorcerer attacks as highly sophisticated due to the malware’s dynamic adaptation and covert data communication mechanisms.

Indicators of compromise (IoC) and Yara rules for detecting the CloudSorcerer malware are available at the bottom of Kaspersky’s report.