EastWind campaign: new CloudSorcerer attacks on government organizations in Russia
Essential information
- Published
- 14/08/2024 15:32
- Modified
- 14/08/2024 15:45
- Tags
- 2024-08-14 cloudsorcerer dll sideloading grewapacha phishing plugy rat spyware
- Related entities
- 5 observables, 1 intrusion sets (apt), 11 techniques (mitre), 2 malware, 1 others
Description
Kaspersky detected an ongoing targeted cyberattack campaign, dubbed EastWind, targeting Russian government organizations and IT companies. The attackers employed phishing emails with malicious shortcuts to deliver malware that communicated via Dropbox. They utilized tools associated with APT31 and deployed an updated version of the CloudSorcerer backdoor, which now uses LiveJournal and Quora profiles as initial C2 servers. Additionally, a new implant called PlugY, bearing resemblance to the DRBControl backdoor linked to APT27, was employed.