CloudSorcerer：新APT组织针对俄罗斯政府

A previously undocumented advanced persistent threat (APT) group dubbed CloudSorcerer has been observed targeting Russian government entities by leveraging cloud services for command-and-control (C2) and data exfiltration.

一个以前未记录的高级持久性威胁（APT）组织，被称为CloudSorcerer，已经被观察到利用云服务针对俄罗斯政府实体进行攻击，并用于命令和控制（C2）以及数据外泄。

Cybersecurity firm Kaspersky, which discovered the activity in May 2024, the tradecraft adopted by the threat actor bears similarities with that of CloudWizard, but pointed out the differences in the malware source code. The attacks wield an innovative data-gathering program and a slew of evasion tactics for covering its tracks.

网络安全公司卡巴斯基在2024年5月发现了这一活动，威胁行动者采用的技术手法与CloudWizard类似，但指出了恶意软件源代码的差异。攻击使用创新的数据收集程序和一系列规避策略来掩盖其行踪。

"It's a sophisticated cyber espionage tool used for stealth monitoring, data collection, and exfiltration via Microsoft Graph, Yandex Cloud, and Dropbox cloud infrastructure," the Russian security vendor said.

俄罗斯安全供应商表示：“这是一种用于隐蔽监视、数据收集和通过Microsoft Graph、Yandex Cloud和Dropbox云基础设施外泄的复杂网络间谍工具。”

"The malware leverages cloud resources as its command and control (C2) servers, accessing them through APIs using authentication tokens. Additionally, CloudSorcerer uses GitHub as its initial C2 server."

这种恶意软件将云资源作为其命令和控制（C2）服务器，通过使用身份验证令牌通过API访问它们。此外，CloudSorcerer使用GitHub作为其初始C2服务器。

The exact method used to infiltrate targets is currently unknown, but the initial access is exploited to drop a C-based portable executable binary that's used as a backdoor, initiate C2 communications, or inject shellcode into other legitimate processes based on the process in which it is executed – namely mspaint.exe, msiexec.exe, or contains the string "browser."

目前尚不清楚用于渗透目标的确切方法，但初始访问是利用的，以释放用作后门的基于C的可移植可执行文件，开始C2通信或根据其执行的进程注入shellcode - 即mspaint.exe、msiexec.exe或包含字符串“browser”。

"The malware's ability to dynamically adapt its behavior based on the process it is running in, coupled with its use of complex inter-process communication through Windows pipes, further highlights its sophistication," Kaspersky noted.

卡巴斯基指出：“这种恶意软件根据其所在的进程动态调整其行为的能力，再加上其通过Windows管道进行复杂的进程间通信，进一步突显了其复杂性。”

The backdoor component is designed to collect information about the victim machine and retrieve instructions to enumerate files and folders, execute shell commands, perform file operations, and run additional payloads.

后门组件旨在收集有关受害者计算机的信息，并检索指令以枚举文件和文件夹、执行shell命令、执行文件操作并运行其他载荷。

The C2 module, for its part, connects to a GitHub page that acts as a dead drop resolver to fetch an encoded hex string pointing to the actual server hosted on Microsoft Graph or Yandex Cloud.

C2模块则连接到GitHub页面，作为一个死信解析器，以获取指向托管在Microsoft Graph或Yandex Cloud上的实际服务器的编码十六进制字符串。

"Alternatively, instead of connecting to GitHub, CloudSorcerer also tries to get the same data from hxxps://my.mail[.]ru/, which is a Russian cloud-based photo hosting server," Kaspersky said. "The name of the photo album contains the same hex string."

卡巴斯基表示：“另外，CloudSorcerer还尝试从hxxps://my.mail[.]ru/获取相同的数据，这是一个俄罗斯基于云的照片托管服务器。照片相册的名称包含相同的十六进制字符串。”

"The CloudSorcerer malware represents a sophisticated toolset targeting Russian government entities. Its use of cloud services such as Microsoft Graph, Yandex Cloud, and Dropbox for C2 infrastructure, along with GitHub for initial C2 communications, demonstrates a well-planned approach to cyber espionage."

“CloudSorcerer恶意软件代表了一个针对俄罗斯政府实体的复杂工具集。它利用Microsoft Graph、Yandex Cloud和Dropbox等云服务作为C2基础设施，以及GitHub进行初始C2通信，展示了对网络间谍活动的周密策划。”

参考资料

[1]https://thehackernews.com/2024/07/new-apt-group-cloudsorcerer-targets.html

原文始发于微信公众号（知机安全）：CloudSorcerer：新APT组织针对俄罗斯政府