A Deeper Insight Into the Cloudwizard APT’s Activity Revealed a Long-Running Activity
Cyber Security Threat Summary:
Researchers warn of a threat actor known as CloudWizard APT, which is actively targeting organizations operating in the Russo-Ukraine conflict region. In March 2023, Kaspersky reearchers dicovered the new APT group, referred to as Bad Magic or Red Stinger, engaging in cyber attacks against entities in the same area. The attackers utilized PowerMagic and CommonMagic implants in their operations. During their investigation, the researchers discovered another set of highly advanced malicious activities linked to the same threat actor, demonstrating even greater sophistication.
"Kaspersky attributed the October campaign to a new APT group operating in the area of Russo-Ukrainian conflict and tracked as Bad Magic. The researchers noticed that TTPs observed during this campaign have no direct link to any known campaigns. PowerMagic is a PowerShell backdoor that executes arbitrary commands sent by C2, then it exfiltrates data to cloud services like Dropbox and Microsoft OneDrive. “When started, the backdoor creates a mutex – WinEventCom. Then, it enters an infinite loop communicating with its C&C server, receiving commands and uploading results in response. It uses OneDrive and Dropbox folders as transport, and OAuth refresh tokens as credentials.” reads the report published by Kaspersky. The threat actor likely used the PowerMagic backdoor to deliver the modular CommonMagic framework. Each module of the CommonMagic framework is used to perform a certain task, such as communicating with the C2 server, encrypting and decrypting C2 traffic, and executing plugins. Back to nowadays, Kaspersky analyzed historical telemetry data and was able to identify multiple installers associated with the CloudWizard framework that were used from 2017 to 2020. Further analysis revealed that the actor behind the above operations has been active since at least 2008. This means that the threat actor was able to avoid detection for more than 15 years" (SecurityAffairs, 2023).
Investigations began after the detection of suspicious malware running as a Winos service called syncobjsup. The malware drops an additional file named mods[.]lrc, which contains three DLLs and a JSON configuration specifying their functionality. The module responsible for internet connectivity encrypts data for C2 communications. It supports four communication types and offers integration with cloud storage services. OneDrive is primarily used as the main cloud storage, with Dropbox and Google Drive serving as backup options. The module's configuration includes OAuth tokens that are used for cloud storage authentication.
Security Officer Comments:
A cluster of victims targeted by the CloudWizard APT group has been identified in regions of Ukraine, including Donetsk, Lugansk, Crimea, as well as central and western Ukraine. The APT group focused on individuals, diplomatic organizations, and research institutions involved in the Russo-Ukranian conflict. According to researchers, spear phishing is believed to be the primary initial attack vector used by the threat actors. According to researcher Georgy Kucherin, the threat actor behind these operations has exhibited a persistent commitment to cyber espionage, continuously improving their tools are targeting organizations of interest for over fifteen years. It's anticipated that the threat actor will continue their operations in the foreseeable future.
Suggested Correction(s):
Researchers at SecureList have published IOCs associated with the CloudWizard APT group that can be used for detection:
https://securelist.com/cloudwizard-apt/109722/
Link(s):
https://securityaffairs.com/146549/apt/cloudwizard-apt-russo-ukrainian-conflict.html