So maybe China and Russia are not such good friends after all. Cyber security researchers have uncovered an apparently new Advanced Persistent Threat (APT) group targeting Russian government entities, known as CloudSorcerer. They use a sophisticated cyber espionage tool, discovered by investigators and reported in an advisory they published in June, and is designed for covert data collection and exfiltration, using Microsoft Graph, Yandex Cloud, and Dropbox for its command and control (C2) infrastructure.[1]
In late July 2024, a series of targeted cyber-attacks on dozens of computers at Russian government organizations and IT companies were detected. This campaign has been named EastWind.
The threat actors infected devices using phishing emails with malicious shortcut attachments. These shortcuts delivered malware that received commands via the Dropbox cloud service. Attackers used this malware to download additional payloads onto infected computers, particularly tools previously used by the Chinese APT31 group.
Interesting features about the implants used in this campaign:
- APT31 has used the malware downloaded by the attackers from Dropbox since at least 2021.
- The attackers updated the CloudSorcerer backdoor, which currently uses LiveJournal (a popular Russian social network) and Quora profiles as initial C2 servers.
- The attacks additionally deploy a previously unknown implant with a classic backdoor functionality. It is loaded via the CloudSorcerer backdoor, and its command set is quite extensive. It supports three different protocols for communicating with C2.
The attackers used spear phishing to gain an initial foothold into the organizations and they sent malicious emails with attached RAR archives to target organizational email addresses. After running the tool, the attackers downloaded the following files to the infected machine:
- A file with the .ini extension, containing the encrypted payload. The name of this file varied across infected machines.
- The renamed legitimate application dbgsrv.exe (example name: WinDRMs.exe) was signed by Microsoft.
- The malicious library dll.
The implants identified during the attack significantly differ from each other, and because of this complicating feature, experts advise that a separate set of Indicators of Compromise (IoCs) be used to identify each malware used in any compromise.
Threat actors often use toolkits that implement a wide variety of techniques and tactics in attacks on government organizations. In developing these tools, they go to great lengths to hide malicious activity in network traffic. The attackers behind the EastWind campaign used popular network services (GitHub, Dropbox, Quora, LiveJournal, and Yandex) as C2 servers.
The Eastwind campaign bore traces of malware from two different Chinese-speaking groups: APT27 and APT31. This clearly shows that APT groups very often team up, actively sharing knowledge and tools. To successfully counter such collaborations, there are now monitors of the techniques and tactics of APT groups operating around the world.
This article is shared at no charge and is for educational and informational purposes only.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. We provide indicators of compromise information via a notification service (RedXray) or an analysis service (CTAC). For questions, comments, or assistance, please get in touch with the office directly at 1-844-492-7225 or feedback@redskyalliance.com
Weekly Cyber Intelligence Briefings:
- Reporting: https://www.redskyalliance.org/
- Website: https://www.redskyalliance.com/
- LinkedIn: https://www.linkedin.com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefing
https://register.gotowebinar.com/register/5378972949933166424
[1] https://www.cybersecurityintelligence.com/blog/chinese-attacks-on-russian-government-agencies-7877.html
Comments