Threat Database Backdoors CloudSorcerer Backdoor

CloudSorcerer Backdoor

A new spear-phishing campaign, dubbed EastWind, is targeting the Russian government and IT organizations. The campaign delivers a variety of backdoors and Trojans.

This attack sequence typically begins with RAR archive attachments that contain a Windows shortcut (LNK) file. When opened, this file triggers a series of actions that ultimately result in the deployment of malware, including GrewApacha, an updated version of the CloudSorcerer backdoor, and a previously unknown implant named PlugY. PlugY is downloaded via the CloudSorcerer backdoor, features a wide array of commands, and can communicate with the Command-and-Control (C2) server using three different protocols.

CloudSorcerer is a Complex Backdoor Threat

CloudSorcerer is an advanced cyber-espionage tool designed for covert monitoring, data collection, and exfiltration through Microsoft Graph, Yandex Cloud, and Dropbox. It uses cloud resources as its C2 servers, interacting with them via APIs and authentication tokens. Initially, it employs GitHub as its primary C2 server.

The exact method of target infiltration remains unclear. However, once access is gained, the malware deploys a C-based portable executable binary that serves as a backdoor. This binary initiates C2 communications or injects shellcode into legitimate processes, such as mspaint.exe, msiexec.exe, or any process containing the string 'browser.'

CloudSorcerer's sophisticated design allows it to adapt its behavior based on the executing process and utilize complex inter-process communication through Windows pipes.

The backdoor component is tailored to gather information about the victim's machine and execute instructions to enumerate files and folders, run shell commands, perform file operations, and deploy additional payloads.

The C2 module connects to a GitHub page that functions as a dead drop resolver, retrieving an encoded hex string that points to the actual server on Microsoft Graph or Yandex Cloud. Alternatively, CloudSorcerer may also access data from hxxps://my.mail.ru/, a Russian cloud-based photo hosting service, where the album name contains the same hex string.

Cybercriminals Use CloudSorcerer to Deploy Next-Stage Malware

The initial infection method involves a compromised LNK file that uses DLL side-loading techniques to execute a fraudulent DLL. This DLL utilizes Dropbox as a communication channel to perform reconnaissance and download additional payloads.

One of the deployed malware strains is GrewApacha, a backdoor previously associated with the China-linked APT31 group. Also initiated through DLL side-loading, it uses an attacker-controlled GitHub profile as a dead drop resolver to store a Base64-encoded string pointing to the actual command-and-control (C2) server.

The other malware family observed in the attacks is PlugY, a fully-featured backdoor that connects to a management server using TCP, UDP, or named pipes and comes with capabilities to execute shell commands, monitor device screen, log keystrokes, and capture clipboard content.

A source code analysis of PlugX uncovered similarities with a known backdoor called DRBControl (aka Clambling), which has been attributed to China-nexus threat clusters tracked as APT27 and APT41. The attackers behind the EastWind campaign used popular network services such as command servers, such as GitHub, Dropbox, Quora, Russian LiveJourna and the Yandex Disk.

Trending

Most Viewed

Loading...