Security researchers at Securelsit by Kaspersky today detailed a new advanced persistent threat group that’s targeting Russian government entities in what appears to be another uptick in geopolitical-linked hacking.

Dubbed CloudSorcerer, the group uses a sophisticated cyber espionage tool for stealth monitoring, data collection and exfiltration via Microsoft Graph, Yandex Cloud and Dropbox cloud infrastructure. The malware leverages cloud resources as its command and control servers, accessing them through application programming interfaces using authentication tokens.

CloudSorcerer’s operations are said to resemble those of the CloudWizard APT from 2023. CloudWizard was notably an APT campaign used to target Russian-occupied areas of Ukraine and related entities.

However, there are also some key differences between the two. CloudSorcerer uses separate modules depending on the process it runs, which include communication and data collection models. The malware uses Windows pipes for inter-process communication and adapts its functionality based on the process name.

The malware collects system information and sends it to a command and control module. It can execute different comments, such as collecting system information, manipulating files, executing shell commands and creating processes using COM interfaces.

CloudSorcerer uses GitHub and Mail.ru for initial communications and uses encoded strings to interact with cloud services. It then uses Yandex Cloud, Microsoft Graph and Dropbox for data exfiltration and command execution.

Despite the similarities to CloudWizard, the researchers note, there are distinct differences in code and functionality, suggesting that CloudSorcerer is likely a new actor using similar techniques but developing unique tools.

The report does not speculate who might be behind CloudSorcerer, but if it’s not the Ukrainians, it’s likely a Western country and the most likely would be the U.S.

“It’s always interesting to see attacks focused on those that we tend to expect attacks from,” Erich Kron, security awareness advocate at security awareness training company KnowBe4 Inc., told SiliconANGLE. “This is an example of the fact that cyberthreats, including espionage, are a global issue, not just one focused on North America or European entities.”

This malware works differently based on the program from which it is executed, Kron explained. “While the initial C2 communication starting with GitHub is not unusual, it is a lesson in the importance of limiting outbound traffic from networks, as opposed to just inbound traffic,” he said. “If most of the people within an organization have no need to access a commonly used website for command-and-control traffic such as this, it makes sense to block this traffic.”

Image: SiliconANGLE/GPT-4o