Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label CloudSorcerer. Show all posts

Chinese Hacking Groups Target Russian government, IT firms

At the end of July 2024, a series of targeted cyberattacks began, aimed at Russian government organizations and IT companies. These attacks have been linked to Chinese hacker groups APT31 and APT27. The cybersecurity firm Kaspersky uncovered this activity and named the campaign "EastWind."  

The attackers used an updated version of the CloudSorcerer backdoor, which was first seen in a similar campaign back in May 2024 that also targeted Russian government entities. 
However, CloudSorcerer has not only been used in attacks on Russia; in May 2024, Proofpoint identified a related attack on a U.S.-based think tank. 

To check if a system has been compromised, look for DLL files larger than 5MB in the 'C:\Users\Public' directory, unsigned 'msedgeupdate.dll' files, and a running process named 'msiexec.exe' for each logged-in user. 

The initial stage of the attack involved phishing emails. These emails carried RAR archive attachments that were named after the target. Once opened, the archive used a technique called DLL side loading to drop a backdoor on the system, while simultaneously opening a document to distract the victim. 

The backdoor allowed attackers to explore the victim’s filesystem, execute commands, steal data, and deploy additional malware. The attackers used this backdoor to introduce a trojan called 'GrewApacha,' which has been linked to APT31. 

The latest version of GrewApacha, compared to previous versions from 2023, has been improved to use two command servers instead of one. These servers' addresses are stored in base64-encoded strings on GitHub profiles, which the malware accesses. Another tool loaded by the backdoor is a refreshed version of CloudSorcerer. 

This version uses a unique encryption mechanism to ensure it only runs on the targeted system. If run on a different machine, the encryption key will differ, causing the malware to fail. The updated CloudSorcerer now fetches its command-and-control (C2) server addresses from public profiles on Quora and LiveJournal instead of GitHub. 

A third piece of malware introduced during the EastWind attacks is called PlugY. This is a previously unknown backdoor with versatile capabilities, including executing commands, capturing screens, logging keystrokes, and monitoring the clipboard. 

Researchers found that the code used in PlugY has similarities with attacks by the APT27 group and a specific library for C2 communications found in PlugY is also used in other Chinese threat actor tools.