Pierluigi Paganini
August 12, 2024
In late July 2024, Kaspersky researchers detected a series of targeted cyberattacks against the Russian government and IT organizations. Kaspersky named this campaign has EastWind.
Threat actors sent phishing emails with RAR archive attachments containing a Windows shortcut to install malware. The attackers sent commands to the malware via Dropbox, leading to the installation of additional Trojans, such as tools from the APT31 cyber espionage group and an updated version of the CloudSorcerer backdoor called GrewApacha.
The CloudSorcerer employed in this campaign was updated since its initial discovery in July 2024, when experts noticed the malware using profiles on the LiveJournal blog and the Q&A site Quora as its initial command server.
“Attackers use the classic DLL sideloading technique: when the desktop.exe file is launched, the malicious VERSION.dll library is loaded into the corresponding process” reads the report published by Kaspersky. “This library is a backdoor packed with the VMProtect tool. When launched, it attempts to contact the Dropbox cloud service using a hardcoded authentication token. Once connected to the cloud, the backdoor reads the commands to be executed from the <computer name>/a.psd file contained in the storage.”
The malware uploads the results of these commands to the cloud storage in the file <computer name>/b.psd.
The new variant of the CloudSorcerer backdoor employed in the EastWind campaign used an utility named GetKey.exe, packed with the VMProtect protector, to encrypt the malicious payload can only be decrypted on the victim’s computer.
The attackers used the results of the utility’s work on their side as a unique key to encrypt the payload file, which can only be decrypted on the victim’s computer, after which they downloaded the following files to the infected computers:
Attackers also employed a previously undetected malware dubbed PlugY, which is downloaded through the CloudSorcerer backdoor. PlugY supports multiple commands and uses three different protocols for C2 communications.
The backdoor can connect to a management server via TCP, UDP, or named pipes. It has capabilities to execute shell commands, monitor the device’s screen, log keystrokes, and capture clipboard content.
“The set of commands that this implant can accept from the server is quite extensive: from working with files and executing shell commands to monitoring actions on the screen and logging keyboard presses and monitoring the clipboard.” continues the report. “Although the implant is still being analyzed, it is highly likely that it was developed using the DRBControl backdoor code (also known as Clambling). This backdoor was described in 2020 by Trend Micro and Talent-Jump Technologies . It was subsequently linked to the APT27 cyber group by Security Joes and Profero . It also bears similarities to PlugX.”
In EastWind campaign, threat actors used sophisticated toolkits to disguise malicious activity within network traffic. Attackers used common network services like GitHub, Dropbox, Quora, and Russian platforms such as LiveJournal and Yandex.Disk as command servers. The campaign involved malware from two China-linked APT groups APT27 and APT31, highlighting how APT groups frequently collaborate and share tools.
Kaspersky shared indicators of compromise for this campaign.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, EastWind)
