EastWind Campaign Targets Russian Government and IT Organizations via CloudSorcerer

In a new wave of cyberattacks, Russian government entities and IT organizations are being targeted by a sophisticated spear-phishing campaign known as EastWind. This campaign delivers a series of backdoors and trojans, exploiting Windows systems through a malicious Windows shortcut (LNK) file hidden in RAR archive attachments. When unsuspecting users open these files, they trigger a complex infection sequence that ultimately leads to the deployment of several dangerous malware variants, including GrewApacha, an updated version of the CloudSorcerer backdoor, and a newly identified implant named PlugY.

The Infection Process

The EastWind campaign begins with a seemingly harmless LNK file. However, this file is anything but benign. It leverages DLL side-loading techniques to execute a malicious DLL file, using Dropbox as a communication channel. Once the infection is active, it conducts reconnaissance and downloads additional payloads.

Among the deployed malware is GrewApacha, a backdoor previously associated with the China-linked APT31 group. This malware utilizes a compromised GitHub profile to store a Base64-encoded string, which serves as the command-and-control (C2) server.

Another key component of this attack is CloudSorcerer, a highly advanced cyber espionage tool. This backdoor facilitates covert monitoring, data collection, and exfiltration by leveraging popular cloud services such as Microsoft Graph, Yandex Cloud, and Dropbox. It employs an encryption-based protection mechanism, ensuring that the malware activates only on the intended victim's machine by generating a unique key derived from the Windows GetTickCount() function.

The final piece of malware observed in this campaign is PlugY, a fully-featured backdoor capable of executing shell commands, monitoring the victim's screen, logging keystrokes, and capturing clipboard content. PlugY connects to a management server using TCP, UDP, or named pipes and exhibits similarities with a known backdoor called DRBControl, attributed to China-nexus threat actors like APT27 and APT41.

Mitigation and Removal

Given the sophistication of the EastWind campaign, mitigating and removing these threats requires a multi-layered approach:

1. Avoid Opening Suspicious Files: Do not open unexpected or suspicious attachments, especially if they come in the form of RAR archives or LNK files. If you receive such a file, verify its legitimacy with the sender before proceeding.
2. Use Advanced Antivirus Solutions: Employ an updated antivirus solution capable of detecting and removing advanced threats like GrewApacha, CloudSorcerer, and PlugY. Run a full system scan and remove any detected threats.
3. Update and Patch Systems: Ensure that your operating system, software, and security tools are up to date with the latest patches. This helps close vulnerabilities that malware like EastWind can exploit.
4. Monitor Network Traffic: Regularly monitor network traffic for unusual activity, especially connections to unknown C2 servers or cloud services like Dropbox, Microsoft Graph, and Yandex Cloud. Suspicious traffic should be investigated and blocked.
5. Isolate Infected Systems: If an infection is detected, immediately isolate the affected system from the network to prevent further spread. Conduct a thorough investigation to identify and remove all traces of the malware.
6. Strengthen Email Security: Implement robust email security measures, including spam filters, email authentication protocols, and employee training to recognize phishing attempts.

The EastWind campaign is a stark reminder of the evolving tactics used by cybercriminals to breach defenses and steal sensitive information. By remaining vigilant and employing a comprehensive security strategy, organizations can protect themselves from this and other advanced threats. Ensure your systems are fortified against these backdoors and trojans, and take proactive steps to detect and remove any signs of infection.