A new cyber-espionage actor is targeting government organizations in the Russian Federation with a sophisticated piece of malware that can adapt its behavior based on its execution environment. The advanced persistent threat (APT) group, which researchers at Kaspersky are tracking as "CloudSorcerer," has an operational style that is akin to that used by "CloudWizard" another APT that the security vendor spotted last year also targeting Russian entities. Like CloudWizard, the new threat group too heavily leverages public cloud services for command and control (C2) and other purposes.
It also appears to be going after the same targets. But CloudSorcerer's eponymously named malware is entirely different from that of CloudWizard, making it more than likely that the former is a new cyber-espionage actor that's merely using the same tactics as the latter, Kaspersky said in a report this week . "While there are similarities in modus operandi to the previously reported CloudWizard APT, the significant differences in code and functionality suggest that CloudSorcerer is likely a new actor, possibly inspired by previous techniques but developing its own unique tools," Kaspersky said.
CloudSorcerer's primary malware tool can perform multiple functions that include covert monitoring and data collection on compromised systems, and data exfiltration using legitimate cloud services such as Microsoft Graph API, Dropbox and Yandex cloud. CloudSorcerer also uses cloud services to host its comma.
