New CloudSorcerer APT Group Exploits Cloud Services And GitHub For C2 Servers

In Cybersecurity News - Original News Source is by Blog Writer

Post Sharing

The hackers take advantage of Cloud services and GitHub since they are highly popular and can give access to massive amounts of data.

Since they contain intellectual property, sensitive information, and credentials that lucrates the hackers.

Besides this, misconfigurations in cloud settings or public repositories may cause inadvertent data exposures or the collaborative nature of these services, which can be used as a medium for launching malware attacks or accessing bigger systems.

Cybersecurity analysts at Kaspersky Lab recently detected that the new CloudSorcerer APT group has been actively exploiting the cloud services and GitHub for the C2 servers.

CloudSorcerer APT Group

In May 2024, CloudSorcerer was discovered targeting Russian government institutions.

Microsoft Graph, Yandex.Cloud, Dropbox, and GitHub are command-and-control (C2) infrastructure for this highly advanced cyber espionage malware.

Join our free webinar to learn about combating slow DDoS attacks, a major threat today.

Here, the C2 channels are implemented via APIs with authorization tokens.

It is broken down into two main modules for communication and data collection, relying on COM object interfaces for malicious actions and a pre-defined charcode table to decode commands issued via a fixed sequence of characters.

CloudSorcerer is a C-based PE binary that changes its functioning depending on the process in execution. When it is mspaint.exe, it functions as a backdoor for data collection and code execution.

When it’s not msiexec.exe, it just injects shellcode into specific processes; otherwise, it initiates C2 communication.

The malware collects system information, does various commands such as file operations, shellcode injection, PE file mapping, and uses Windows pipes for inter-process communication to send collected data to the C2 module.

Here below we have mentioned the data that are collected by the malware:-

  • Computer name
  • User name
  • Windows subversion information
  • System uptime

The starting C2 for CloudSorcerer’s C2 module can be a GitHub page or even a Russian cloud photo server.

It has the capacity to extract and decode a hidden hex string with the aid of charcode table. Not only that even it will reveal the specific cloud service that is being used as well as a verification token (Microsoft Graph or Yandex).

Hex string in the author section (Source – Securelist)

The malware uses an intelligent approach, which makes it possible for it to impersonate legal traffic whilst at the same time switching from one cloud service to another for its C2 operations.

CloudSorcerer’s C2 module connects to cloud APIs using internet functions and the decoded authentication token. It spawns two threads for asynchronous communication with the backdoor module through Windows pipes.

The C2 module is able to accept and decode commands received from clouds, send them to its backdoor, and upload execution results and the exfiltrated data to enable hidden communication and data transfer.

"Is Your System Under Attack? Try Cynet XDR: Automated Detection & Response for Endpoints, Networks, & Users!"- Free Demo