A series of targeted cyberattacks that started at the end of July 2024, targeting dozens of systems used in Russian government organizations and IT companies, are linked to Chinese hackers of the APT31 and APT 27 groups.
Kaspersky, who discovered the activity, dubbed the campaign “EastWind,” reporting that it employs an updated version of the CloudSorcerer backdoor spotted in a similar cyberespionage campaign from May 2024, also targeting Russian government entities.
It should be noted that the CloudSorcerer activity isn’t bound to Russia, as Proofpoint recorded an attack targeting a U.S.-based think tank in May 2024.
EastWind toolkit
The initial infection relies on phishing emails carrying RAR archive attachments named after the target, which employ DLL side loading to drop a backdoor on the system from Dropbox while opening a document for deception.
The backdoor can navigate the filesystem, execute commands, exfiltrate data, or introduce additional payloads on the compromised machine.
Kaspersky’s observations reveal that the attackers used the backdoor to introduce a trojan named ‘GrewApacha,’ which has been associated with APT31.
The most recent variant of GrewApacha features some improvements compared to the last analyzed version from 2023, including using two command servers instead of one, storing their address in a base64-encoded string on GitHub profiles from where the malware reads it.
Source: Kaspersky
Another malware loaded by the backdoor is a refreshed version of CloudSorcerer packed with VMProtect for evasion.
CloudSorcerer uses an encryption protection mechanism designed to prevent its execution on non-targeted systems by employing a unique key generation process tied to the victim’s machine.
Upon execution, a utility (GetKey.exe) generates a unique four-byte number from the system’s current state and encrypts it using the Windows CryptProtectData function to derive a unique, system-bound ciphertext.
If execution of the malware is attempted on any other machine, the generated key will differ, so the CloudSorcerer payload decryption will fail.
Source: Kaspersky
The new version of CloudSorcerer also uses public profile pages to get its initial C2 address but has now switched from GitHub to using Quora and the Russian social media network LiveJournal for this purpose.
The third implant seen in the EastWind attacks, introduced through CloudSorcered, is PlugY, a previously…
Click Here to Read the Full Original Article at BleepingComputer…