EastWind campaign: new CloudSorcerer attacks on government organizations in Russia

Category	Details
Threat Actors	APT31, APT27
Campaign Overview	Targeted Russian government organizations and IT companies using phishing emails with malicious shortcut attachments. Dubbed as the EastWind campaign.
Target Regions (or Victims)	Russian government organizations and IT companies; a similar attack reported on a US organization.
Methodology	Spear phishing emails with RAR archives containing malicious shortcuts; DLL sideloading; use of Dropbox, GitHub, LiveJournal, Quora, and Yandex.Disk for C2.
Products Targeted	Microsoft software (e.g., msedgeupdate.exe), Dropbox cloud, GitHub profiles for C2 communication.
Malware Reference	– GrewApacha: A RAT used by APT31 since 2021. – CloudSorcerer: Updated backdoor using LiveJournal and Quora for C2. – PlugY: Overlaps with APT27’s tools.
Tools Used	Dropbox, VMProtect obfuscator, schtasks utility, CryptProtectData function, renamed Microsoft-signed binaries for DLL sideloading.
Vulnerabilities Exploited	No explicit software vulnerabilities; relied on human behavior and phishing tactics.
TTPs	DLL sideloading, C2 communication through popular platforms, scheduled tasks for persistence, modular backdoors with extensive command capabilities.
Attribution	– APT31: Associated with GrewApacha and CloudSorcerer malware. – APT27: Code similarity in PlugY implant. Collaborative use of malware and TTPs.
Recommendations	– Monitor file system for large DLL files (> 5 MB) in C:\Users\Public. – Investigate Dropbox traffic patterns. – Check for msiexec.exe processes tied to CloudSorcerer backdoor. – Detect named pipes with \\.\PIPE\Y. – Use IoCs for detection of each malware.
Source	Securelist

Read full article: https://securelist.com/eastwind-apt-campaign/113345/

Disclaimer: The above summary has been generated by an AI language model