EastWind Campaign: New CloudSorcerer Attacks Target Russian Gov Using APT31 and APT27 Tactics

Kaspersky Labs has uncovered a series of sophisticated cyberattacks targeting Russian government organizations and IT companies, now dubbed the “EastWind” campaign. The attacks, which began in late July 2024, have been linked to Chinese-speaking threat groups APT31 and APT27, known for their advanced persistence and stealth.

The attackers employed spear-phishing emails with malicious shortcut attachments to infiltrate targeted systems. Once a victim clicked on the attachment, a carefully orchestrated sequence of events unfolded:

1. Malicious Shortcuts: These shortcuts initiated commands that moved malicious files, including a backdoor disguised as a legitimate DLL, into key system directories.
2. Dropbox as a Command and Control (C2) Hub: The attackers utilized Dropbox to execute commands and manage infected devices, making detection challenging due to the benign nature of the platform.
3. CloudSorcerer Backdoor: A key element of the EastWind campaign was the updated CloudSorcerer backdoor, first detailed by Kaspersky in early July 2024. This version now cleverly uses profiles on the Russian social network LiveJournal and the global Q&A platform Quora as initial C2 servers, further complicating detection.

The EastWind campaign stands out for its deployment of advanced malware:

• GrewApacha: This Remote Access Trojan (RAT), linked to APT31, has been in use since 2021. The latest version observed during these attacks now communicates with two C2 servers, one of which is disguised as a GitHub profile.
• PlugY Implant: Unveiled through Kaspersky’s analysis, this previously unknown implant boasts extensive capabilities, from keystroke logging to clipboard monitoring. Its code bears striking similarities to the DRBControl backdoor, associated with APT27, hinting at shared tactics between the two groups.

Both the GrewApacha and CloudSorcerer malware relied on a “sideloading triad” technique, where legitimate executables were used to load malicious libraries into system processes. This method allows the malware to operate under the radar, blending in with legitimate system activity.

To counter these advanced threats, Kaspersky advises organizations to monitor for unusual activity, such as large DLL files in public directories, consistent access to cloud services like Dropbox, and the presence of suspicious named pipes within systems.