Researchers from Kaspersky Lab continue to track CloudSorcerer attacks on the public sector in Russia, initiated as part of a new campaign dubbed EastWind.
In late July 2024, Kaspersky Lab specialists managed to identify an active series of targeted cyberattacks on dozens of Russian government organizations and IT companies.
During these attacks, attackers infected devices using phishing emails with attachments containing malicious shortcut files.
Clicking on the shortcuts installed malware, which then received commands through the Dropbox cloud storage using a hard-coded authentication token.
Using this software, attackers downloaded additional Trojans to infected computers, as well as an updated CloudSorcerer backdoor.
Notably, a similar infection method was used in an attack on one organization in the United States using the CloudSorcerer backdoor, as reported by Proofpoint in July 2024.
The Trojan downloaded by the attackers from the Dropbox cloud storage used in EastWind has been used by the APT31 group since at least 2021 and is tracked by LK as GrewApacha.
The CloudSorcerer backdoor, which was described in detail by the Lab back in early July 2024, was updated after that publication.
It now uses profiles on the LiveJournal blog and the Q&A site Quora as the initial command server.
As with previous versions of CloudSorcerer, the profile description contains an encrypted authentication token for interacting with the cloud service.
The attacks use a previously unknown implant with classic backdoor functionality, which LK named PlugY.
It is loaded via the CloudSorcerer backdoor, has an extensive set of commands, and supports three different protocols for interacting with the command center.
In addition, its code is similar to the DRBControl backdoor (also known as Clambling), which several security companies attribute to the APT27 group.
Thus, malware from two different Chinese-speaking groups was spotted in EastWind: APT27 and APT31, which clearly shows how APTs often work together, actively exchanging experience and attack tools.
A technical analysis of the new tools and recommendations for detecting traces of a potential attack is in the Kaspersky Lab report.
https://securelist.ru/eastwind-apt-campaign/110020/
