CloudSorcerer hackers abuse cloud services to steal Russian govt data

pHackers leak 27 billion data records with Social Security numbersppFake X content warnings on Ukraine war earthquakes used as clickbaitppMicrosoft discloses unpatched Office flaw that exposes NTLM hashesppNew AMD SinkClose flaw helps install nearly undetectable malwareppX faces GDPR complaints for unauthorized use of data for AI trainingppFBI disrupts the Dispossessor ransomware operation seizes serversppSouth Korea says DPRK hackers stole spy plane technical datappMicrosoft is killing the Windows Paint 3D app after 8 yearsppHow to access the Dark Web using the Tor BrowserppHow to enable Kernelmode Hardwareenforced Stack Protection in Windows 11ppHow to use the Windows Registry EditorppHow to backup and restore the Windows RegistryppHow to start Windows in Safe ModeppHow to remove a Trojan Virus Worm or other MalwareppHow to show hidden files in Windows 7ppHow to see hidden files in WindowsppRemove the Theonlinesearchcom Search RedirectppRemove the Smartwebfindercom Search RedirectppHow to remove the PBlock adware browser extensionppRemove the Toksearchesxyz Search RedirectppRemove Security Tool and SecurityTool Uninstall GuideppHow to Remove WinFixer Virtumonde Msevents TrojanvundoppHow to remove Antivirus 2009 Uninstall InstructionsppHow to remove Google Redirects or the TDSS TDL3 or Alureon rootkit using TDSSKillerppLocky Ransomware Information Help Guide and FAQppCryptoLocker Ransomware Information Guide and FAQppCryptorBit and HowDecrypt Information Guide and FAQppCryptoDefense and HowDecrypt Ransomware Information Guide and FAQppQualys BrowserCheckppSTOPDecrypterppAuroraDecrypterppFilesLockerDecrypterppAdwCleanerppComboFixppRKillppJunkware Removal ToolppeLearningppIT Certification CoursesppGear GadgetsppSecurityppBest VPNsppHow to change IP addressppAccess the dark web safelyppBest VPN for YouTubeppppA new advanced persistent threat APT group named CloudSorcerer abuses public cloud services to steal data from Russian government organizations in cyberespionage attacksppKaspersky security researchers discovered the cyberespionage group in May 2024 They report that CloudSorcerer uses custom malware that uses legitimate cloud services for command and control C2 operations and data storageppKaspersky notes that CloudSorcerers modus operandi is similar to CloudWizard APTs but their malware is distinct leading security researchers to believe this is a new threat actorppWhile Kaspersky does not explain how the threat actors initially breach a network they say they execute the custom Windows backdoor manuallyppThe malware has a processspecific behavior depending on where it has been injected which it determines using GetModuleFileNameAppIf executed from within mspaintexe it acts as a backdoor collecting data and executing code However if it is launched within msiexecexe it first initiates C2 communication to receive commands to executeppThe initial communication is a request to a GitHub repository up at the time of writing that contains a hexadecimal string that determines which cloud service to use for further C2 operations Microsoft Graph Yandex Cloud or DropboxppFor processes that dont match any hardcoded behavior the malware injects shellcode into the MSIexec MSPaint or Explorer process and terminates the initial processppThe shellcode parses the Process Environment Block PEB to identify Windows core DLL offsets identifies required Windows APIs using the ROR14 algorithm and maps the CloudSorcerer code into the memory of targeted processesppData exchange between modules is organized through Windows pipes for seamless interprocess communicationppThe backdoor module which performs the data theft collects system information such as computer name user name Windows subversion and system uptimeppIt also supports a range of commands retrieved from the C2 includingppOverall the CloudSorcerer backdoor is a potent tool that enables the threat actors to perform malicious actions on the infected machinesppKaspersky characterizes the CloudSorcerer attacks as highly sophisticated due to the malwares dynamic adaptation and covert data communication mechanismsppIndicators of compromise IoC and Yara rules for detecting the CloudSorcerer malware are available at the bottom of Kasperskys reportppChinese hacking groups target Russian government IT firmsppNew BugSleep malware implant deployed in MuddyWater attacksppGoogle deactivates Russian AdSense accounts sends final paymentsppRussia blocks Signal for violating antiterrorism lawsppNew CMoon USB worm targets Russians in data theft attacksppThese the good guys thenppNot a member yet Register NowppHackers leak 27 billion data records with Social Security numbersppChinese hacking groups target Russian government IT firmsppTerms of Use Privacy Policy Ethics Statement Affiliate DisclosureppCopyright 2003 2024 Bleeping Computer LLC All Rights ReservedppNot a member yet Register NowppRead our posting guidelinese to learn what content is prohibitedp