In May 2024, we discovered a new advanced persistent threat (APT) targeting Russian government entities that we dubbed CloudSorcerer. It’s a sophisticated cyberespionage tool used for stealth monitoring, data collection, and exfiltration via Microsoft Graph, Yandex Cloud, and Dropbox cloud infrastructure. The malware leverages cloud resources as its command and control (C2) servers, accessing them through APIs using authentication tokens. Additionally, CloudSorcerer uses GitHub as its initial C2 server.
2024 年 5 月,我们发现了一种针对俄罗斯政府实体的新高级持续性威胁 (APT),我们将其称为 CloudSorcerer。它是一种复杂的网络间谍工具,用于通过 Microsoft Graph、Yandex Cloud 和 Dropbox 云基础架构进行隐身监控、数据收集和泄露。该恶意软件利用云资源作为其命令和控制 (C2) 服务器,使用身份验证令牌通过 API 访问它们。此外,CloudSorcerer 使用 GitHub 作为其初始 C2 服务器。
CloudSorcerer’s modus operandi is reminiscent of the CloudWizard APT that we reported on in 2023. However, the malware code is completely different. We presume that CloudSorcerer is a new actor that has adopted a similar method of interacting with public cloud services.
CloudSorcerer 的作案手法让人想起我们在 2023 年报道的 CloudWizard APT。但是,恶意软件代码完全不同。我们假设 CloudSorcerer 是一个新参与者,它采用了与公共云服务交互的类似方法。
Our findings in a nutshell:
我们的发现简述:
- CloudSorcerer APT uses public cloud services as its main C2s
CloudSorcerer APT 使用公有云服务作为其主要的 C2 - The malware interacts with the C2 using special commands and decodes them using a hardcoded charcode table.
恶意软件使用特殊命令与 C2 交互,并使用硬编码的字符码表对其进行解码。 - The actor uses Microsoft COM object interfaces to perform malicious operations.
执行者使用 Microsoft COM 对象接口执行恶意操作。 - CloudSorcerer acts as separate modules (communication module, data collection module) depending on which process it’s running, but executes from a single executable.
CloudSorcerer 充当单独的模块(通信模块、数据收集模块),具体取决于它运行的进程,但从单个可执行文件执行。
Technical details 技术细节
Initial start up 初始启动
| MD5 | f701fc79578a12513c369d4e36c57224 |
| SHA1 | f1a93d185d7cd060e63d16c50e51f4921dd43723 |
| SHA256 | e4b2d8890f0e7259ee29c7ac98a3e9a5ae71327aaac658f84072770cf8ef02de |
| Link time 链接时间 | N/A 不适用 |
| Compiler 编译器 | N/A 不适用 |
| File type 文件类型 | Windows x64 executable Windows x64 可执行文件 |
| File size 文件大小 | 172kb |
| File name 文件名 | N/A 不适用 |
The malware is executed manually by the attacker on an already infected machine. It is initially a single Portable Executable (PE) binary written in C. Its functionality varies depending on the process in which it is executed. Upon execution, the malware calls the GetModuleFileNameA function to determine the name of the process it is running in. It then compares this process name with a set of hardcoded strings: browser, mspaint.exe, and msiexec.exe. Depending on the detected process name, the malware activates different functions:
恶意软件由攻击者在已受感染的计算机上手动执行。它最初是用 C 编写的单个可移植可执行 (PE) 二进制文件。其功能因执行过程而异。执行时,恶意软件会调用 GetModuleFileNameA 函数来确定运行它的进程的名称。然后,它将此进程名称与一组硬编码字符串进行比较:browser、mspaint.exe 和 msiexec.exe。根据检测到的进程名称,恶意软件会激活不同的功能:
- If the process name is mspaint.exe, CloudSorcerer functions as a backdoor module, and performs activities such as data collection and code execution.
如果进程名称为mspaint.exe,则 CloudSorcerer 将充当后门模块,并执行数据收集和代码执行等活动。 - If the process name is msiexec.exe, the CloudSorcerer malware initiates its C2 communication module.
如果进程名称为 msiexec.exe,则 CloudSorcerer 恶意软件将启动其 C2 通信模块。 - Lastly, if the process name contains the string “browser” or does not match any of the specified names, the malware attempts to inject shellcode into either the msiexec.exe, mspaint.exe, or explorer.exe processes before terminating the initial process.
最后,如果进程名称包含字符串“browser”或与任何指定名称不匹配,则恶意软件会在终止初始进程之前尝试将 shellcode 注入msiexec.exe、mspaint.exe或explorer.exe进程。
The shellcode used by CloudSorcerer for initial process migration shows fairly standard functionality:
CloudSorcerer 用于初始进程迁移的 shellcode 显示了相当标准的功能:
- Parse Process Environment Block (PEB) to identify offsets to required Windows core DLLs;
分析进程环境块 (PEB) 以识别所需 Windows 核心 DLL 的偏移量; - Identify required Windows APIs by hashes using ROR14 algorithm;
使用 ROR14 算法通过哈希识别所需的 Windows API; - Map CloudSorcerer code into the memory of one of the targeted processes and run it in a separate thread.
将 CloudSorcerer 代码映射到其中一个目标进程的内存中,并在单独的线程中运行它。
All data exchange between modules is organized through Windows pipes, a mechanism for inter-process communication (IPC) that allows data to be transferred between processes.
模块之间的所有数据交换都通过 Windows 管道进行组织,Windows 管道是一种进程间通信 (IPC) 机制,允许在进程之间传输数据。
CloudSorcerer backdoor module
CloudSorcerer 后门模块
The backdoor module begins by collecting various system information about the victim machine, running in a separate thread. The malware collects:
后门模块首先收集有关受害计算机的各种系统信息,在单独的线程中运行。该恶意软件收集:
- Computer name; 计算机名称;
- User name; 用户名;
- Windows subversion information;
Windows 颠覆信息; - System uptime. 系统正常运行时间。
All the collected data is stored in a specially created structure. Once the information gathering is complete, the data is written to the named pipe \\.\PIPE\[1428] connected to the C2 module process. It is important to note that all data exchange is organized using well-defined structures with different purposes, such as backdoor command structures and information gathering structures.
所有收集的数据都存储在一个专门创建的结构中。信息收集完成后,数据将写入连接到 C2 模块进程的命名管道 \\.\PIPE\[1428]。需要注意的是,所有数据交换都是使用具有不同目的的明确定义的结构来组织的,例如后门命令结构和信息收集结构。
Next, the malware attempts to read data from the pipe \\.\PIPE\[1428]. If successful, it parses the incoming data into the COMMAND structure and reads a single byte from it, which represents a COMMAND_ID.
接下来,恶意软件尝试从管道 \\.\PIPE\[1428] 读取数据。如果成功,它将传入数据解析到 COMMAND 结构中,并从中读取一个字节,该字节表示COMMAND_ID。
Main backdoor functionality
主要后门功能
Depending on the COMMAND_ID, the malware executes one of the following actions:
根据COMMAND_ID,恶意软件会执行以下操作之一:
- 0x1 – Collect information about hard drives in the system, including logical drive names, capacity, and free space.
0x1 – 收集有关系统中硬盘驱动器的信息,包括逻辑驱动器名称、容量和可用空间。 - 0x2 – Collect information about files and folders, such as name, size, and type.
0x2 – 收集有关文件和文件夹的信息,例如名称、大小和类型。 - 0x3 – Execute shell commands using the ShellExecuteExW API.
0x3 – 使用 ShellExecuteExW API 执行 shell 命令。 - 0x4 – Copy, move, rename, or delete files.
0x4 – 复制、移动、重命名或删除文件。 - 0x5 – Read data from any file.
0x5 – 从任何文件中读取数据。 - 0x6 – Create and write data to any file.
0x6 – 创建数据并将其写入任何文件。 - 0x8 – Receive a shellcode from the pipe and inject it into any process by allocating memory and creating a new thread in a remote process.
0x8 – 从管道接收 shellcode,并通过分配内存并在远程进程中创建新线程将其注入任何进程。 - 0x9 – Receive a PE file, create a section and map it into the remote process.
0x9 – 接收 PE 文件,创建一个部分并将其映射到远程进程中。 - 0x7 – Run additional advanced functionality.
0x7 – 运行其他高级功能。
When the malware receives a 0x7 COMMAND_ID, it runs one of the additional tasks described below:
当恶意软件收到0x7 COMMAND_ID时,它会运行下面描述的附加任务之一:
| Command ID 命令 ID | Operation 操作 | Description 描述 |
| 0x2307 | Create process 创建流程 | Creates any process using COM interfaces, used for running downloaded binaries. 使用 COM 接口创建任何进程,用于运行下载的二进制文件。 |
| 0x2407 | Create process as dedicated user 以专用用户身份创建流程 |
Creates any process under dedicated username. 在专用用户名下创建任何进程。 |
| 0x2507 | Create process with pipe 使用管道创建流程 |
Creates any process with support of inter-process communication to exchange data with the created process. 创建支持进程间通信的任何进程,以便与创建的进程交换数据。 |
| 0x3007 | Clear DNS cache 清除DNS缓存 | Clears the DNS cache. 清除 DNS 缓存。 |
| 0x2207 | Delete task 删除任务 | Deletes any Windows task using COM object interfaces. 使用 COM 对象接口删除任何 Windows 任务。 |
| 0x1E07 | Open service 开放服务 | Opens a Windows service and reads its status. 打开 Windows 服务并读取其状态。 |
| 0x1F07 | Create new task 创建新任务 | Creates a new Windows task and sets up a trigger for execution using COM objects. 创建新的 Windows 任务,并设置使用 COM 对象执行的触发器。 |
| 0x2007 | Get tasks 获取任务 | Gets the list of all the Windows tasks using COM object interface. 获取使用 COM 对象接口的所有 Windows 任务的列表。 |
| 0x2107 | Stop task 停止任务 | Stops any task using COM object interface. 使用 COM 对象接口停止任何任务。 |
| 0x1D07 | Get services 获取服务 | Gets the list of all Windows services. 获取所有 Windows 服务的列表。 |
| 0x1907 | Delete value from reg 从 reg 中删除值 |
Deletes any value from any Windows registry key selected by the actor. 从执行组件选择的任何 Windows 注册表项中删除任何值。 |
| 0x1A07 | Create service 创建服务 | Creates a new Windows service. 创建新的 Windows 服务。 |
| 0x1B07 | Change service 更改服务 | Modifies any Windows service configuration. 修改任何 Windows 服务配置。 |
| 0x1807 | Delete reg key 删除注册表项 | Deletes any Windows registry key. 删除任何 Windows 注册表项。 |
| 0x1407 | Get TCP/UDP update table 获取 TCP/UDP 更新表 |
Gets information from Windows TCP/UDP update table. 从 Windows TCP/UDP 更新表中获取信息。 |
| 0x1507 | Collect processes 收集进程 | Collects all running processes. 收集所有正在运行的进程。 |
| 0x1607 | Set reg key value 设置注册表键值 |
Modifies any Windows registry key. 修改任何 Windows 注册表项。 |
| 0x1707 | Enumerate reg key 枚举注册表项 | Enumerates Windows registry keys. 枚举 Windows 注册表项。 |
| 0x1307 | Enumerate shares 枚举份额 | Enumerates Windows net shares. 枚举 Windows 网络共享。 |
| 0x1007 | Set net user info 设置网络用户信息 |
Sets information about a user account on a Windows network using NetUserSetInfo. It allows administrators to modify user account properties on a local or remote machine. 使用 NetUserSetInfo 设置有关 Windows 网络上的用户帐户的信息。它允许管理员修改本地或远程计算机上的用户帐户属性。 |
| 0x1107 | Get net members 获取网络会员 | Gets a member of the local network group. 获取本地网络组的成员。 |
| 0x1207 | Add member 添加成员 | Adds a user to the local network group. 将用户添加到本地网络组。 |
| 0xE07 | Get net user info 获取网络用户信息 |
Collects information about a network user. 收集有关网络用户的信息。 |
| 0xB07 | Enumerate net users 枚举网络用户 | Enumerates network users. 枚举网络用户。 |
| 0xC07 | Add net user 添加网络用户 | Adds a new network user. 添加新的网络用户。 |
| 0xD07 | Delete user 删除用户 | Deletes a network user. 删除网络用户。 |
| 0x907 | Cancel connection 取消连接 | Cancels an existing network connection. This function allows for the disconnection of network resources, such as shared directories. 取消现有网络连接。此功能允许断开网络资源(如共享目录)的连接。 |
| 0x507 | File operations 文件操作 | Copies, moves, or deletes any file. 复制、移动或删除任何文件。 |
| 0x607 | Get net info 获取网络信息 | Collects information about the network and interfaces. 收集有关网络和接口的信息。 |
| 0x707 | Enumerate connections 枚举连接 | Enumerates all network connections. 枚举所有网络连接。 |
| 0x807 | Map network 地图网络 | Maps remote network drive. 映射远程网络驱动器。 |
| 0x407 | Read file 读取文件 | Reads any file as text strings. 将任何文件读取为文本字符串。 |
| 0x107 | Enumerate RDP 枚举 RDP | Enumerates all RDP sessions. 枚举所有 RDP 会话。 |
| 0x207 | Run WMI 运行 WMI | Runs any WMI query using COM object interfaces. 使用 COM 对象接口运行任何 WMI 查询。 |
| 0x307 | Get files 获取文件 | Creates list of files and folders. 创建文件和文件夹列表。 |
All the collected information or results of performed tasks are added to a specially created structure and sent to the C2 module process via a named pipe.
所有收集到的信息或已执行任务的结果都会添加到专门创建的结构中,并通过命名管道发送到 C2 模块进程。
C2 module C2模块
The C2 module starts by creating a new Windows pipe named \\.\PIPE\[1428]. Next, it configures the connection to the initial C2 server by providing the necessary arguments to a sequence of Windows API functions responsible for internet connections:
C2 模块首先创建一个名为 \\.\PIPE\[1428] 的新 Windows 管道。接下来,它通过向负责 Internet 连接的一系列 Windows API 函数提供必要的参数来配置与初始 C2 服务器的连接:
- InternetCrackUrlA; 互联网破解UrlA;
- InternetSetOptionA;
- InternetOpenA; 互联网OpenA;
- InternetConnectA; 互联网连接A;
- HttpOpenRequestA;
- HttpSendRequestA
The malware sets the request type (“GET”), configures proxy information, sets up hardcoded headers, and provides the C2 URL.
恶意软件设置请求类型 (“GET”),配置代理信息,设置硬编码标头,并提供 C2 URL。
Setting up internet connection
设置互联网连接
The malware then connects to the initial C2 server, which is a GitHub page located at https://github[.]com/alinaegorovaMygit. The malware reads the entire web page into a memory buffer using the InternetReadFile call.
然后,恶意软件连接到初始 C2 服务器,该服务器是位于 https://github[.] 的 GitHub 页面。com/alinaegorovaMygit。恶意软件使用 InternetReadFile 调用将整个网页读取到内存缓冲区中。
The GitHub repository contains forks of three public projects that have not been modified or updated. Their purpose is merely to make the GitHub page appear legitimate and active. However, the author section of the GitHub page displays an interesting string:
GitHub 存储库包含三个尚未修改或更新的公共项目的分支。他们的目的只是使 GitHub 页面看起来合法且活跃。但是,GitHub 页面的作者部分显示一个有趣的字符串:
Hex string in the author section
作者部分中的十六进制字符串
We found data that looks like a hex string that starts and ends with the same byte pattern – “CDOY”. After the malware downloads the entire GitHub HTML page, it begins parsing it, searching specifically for the character sequence “CDOY”. When it finds it, it copies all the characters up to the second delimiter “CDOY” and then stores them in a memory buffer. Next, the malware parses these characters, converting them from string values to hex values. It then decodes the string using a hardcoded charcode substitution table – each byte from the parsed string acts as an index in the charcode table, pointing to a substitutable byte, thus forming a new hex byte array.
我们发现数据看起来像一个十六进制字符串,以相同的字节模式开始和结束——“CDOY”。恶意软件下载整个 GitHub HTML 页面后,开始解析它,专门搜索字符序列“CDOY”。当它找到它时,它会将所有字符复制到第二个分隔符“CDOY”,然后将它们存储在内存缓冲区中。接下来,恶意软件解析这些字符,将它们从字符串值转换为十六进制值。然后,它使用硬编码的 charcode 替换表对字符串进行解码——解析字符串中的每个字节都充当 charcode 表中的索引,指向可替换字节,从而形成一个新的十六进制字节数组。
Decoding algorithm 解码算法
Charcode table Charcode 表
Alternatively, instead of connecting to GitHub, CloudSorcerer also tries to get the same data from hxxps://my.mail[.]ru/, which is a Russian cloud-based photo hosting server. The name of the photo album contains the same hex string.
或者,CloudSorcerer 还尝试从 hxxps://my.mail[.] 获取相同的数据,而不是连接到 GitHub。ru/,这是一个俄罗斯基于云的照片托管服务器。相册的名称包含相同的十六进制字符串。
The first decoded byte of the hex string is a magic number that tells the malware which cloud service to use. For example, if the byte is “1”, the malware uses Microsoft Graph cloud; if it is “0”, the malware uses Yandex cloud. The subsequent bytes form a string of a bearer token that is used for authentication with the cloud’s API.
十六进制字符串的第一个解码字节是一个幻数,它告诉恶意软件使用哪个云服务。例如,如果字节为“1”,则恶意软件使用 Microsoft Graph 云;如果为“0”,则恶意软件使用 Yandex 云。后续字节形成持有者令牌的字符串,用于使用云的 API 进行身份验证。
Depending on the magic number, the malware creates a structure and sets an offset to a virtual function table that contains a subset of functions to interact with the selected cloud service.
根据幻数,恶意软件会创建一个结构,并为虚拟函数表设置偏移量,该虚拟函数表包含与所选云服务交互的函数子集。
Different virtual tables for Yandex and Microsoft
Yandex 和 Microsoft 的不同虚拟表
Next, the malware connects to the cloud API by:
接下来,恶意软件通过以下方式连接到云 API:
- Setting up the initial connection using InternetOpenA and InternetConnectA;
使用 InternetOpenA 和 InternetConnectA 设置初始连接; - Setting up all the required headers and the authorization token received from the GitHub page;
设置从 GitHub 页面接收的所有必需标头和授权令牌; - Configuring the API paths in the request;
在请求中配置 API 路径; - Sending the request using HttpSendRequestExA and checking for response errors;
使用 HttpSendRequestExA 发送请求并检查响应错误; - Reading data from the cloud using InternetReadFile.
使用 InternetReadFile 从云中读取数据。
The malware then creates two separate threads – one responsible for receiving data from the Windows pipe and another responsible for sending data to it. These threads facilitate asynchronous data exchange between the C2 and backdoor modules.
然后,恶意软件会创建两个单独的线程——一个负责从 Windows 管道接收数据,另一个负责向其发送数据。这些线程有助于 C2 和后门模块之间的异步数据交换。
Finally, the C2 module interacts with the cloud services by reading data, receiving encoded commands, decoding them using the character code table, and sending them via the named pipe to the backdoor module. Conversely, it receives the command execution results or exfiltrated data from the backdoor module and writes them to the cloud.
最后,C2 模块通过读取数据、接收编码命令、使用字符代码表对其进行解码,并通过命名管道将它们发送到后门模块来与云服务进行交互。相反,它从后门模块接收命令执行结果或泄露的数据,并将它们写入云。
Infrastructure 基础设施
GitHub page GitHub 页面
The GitHub page was created on May 7, 2024, and two repositories were forked into it on the same day. On May 13, 2024, another repository was forked, and no further interactions with GitHub occurred. The forked repositories were left untouched. The name of the C2 repository, “Alina Egorova,” is a common Russian female name; however, the photo on the GitHub page is of a male and was copied from a public photo bank.
GitHub 页面创建于 2024 年 5 月 7 日,并在同一天分叉了两个仓库。2024 年 5 月 13 日,另一个仓库被分叉,没有与 GitHub 发生进一步的交互。分叉的存储库保持不变。C2 存储库的名称“Alina Egorova”是一个常见的俄罗斯女性名字;但是,GitHub页面上的照片是男性,并且是从公共照片库复制的。
Mail.ru photo hosting Mail.ru 照片托管
This page contains the same encoded string as the GitHub page. There is no information about when the album was created and published. The photo of the owner is the same as the picture from the photo bank.
此页面包含与 GitHub 页面相同的编码字符串。没有关于专辑创建和发布时间的信息。店主的照片与照片库中的图片相同。
Cloud infrastructure 云基础架构
| Service 服务 | Main URL 主网址 | Initial path 初始路径 |
| Yandex Cloud Yandex 云 | cloud-api.yandex.net | /v1/disk/resources?path= /v1/disk/resources?path= /v1/disk/resources/download?path= /v1/disk/resources/download?path= /v1/disk/resources/upload?path= /v1/disk/resources/upload?path= |
| Microsoft Graph Microsoft 图形 | graph.microsoft.com | /v1.0/me/drive/root:/Mg/%s/%s:/content /v1.0/me/drive/root:/Mg/%s/%s:/content |
| Dropbox Dropbox的 | content.dropboxapi.com | /2/files/download /2/文件/下载 /2/files/upload /2/文件/上传 |
Attribution 归 因
The use of cloud services is not new, and we reported an example of this in our overview of the CloudWizard APT (a campaign in the Ukrainian conflict with ties to Operation Groundbait and CommonMagic). However, the likelihood of attributing CloudSorcerer to the same actor is low, as the code and overall functionality of the malware are different. We therefore assume at this point that CloudSorcerer is a new actor that has adopted the technique of interacting with public cloud services.
云服务的使用并不新鲜,我们在 CloudWizard APT(乌克兰冲突中与 Groundbait 行动和 CommonMagic 有联系)的概述中报告了一个例子。但是,将 CloudSorcerer 归因于同一参与者的可能性很低,因为恶意软件的代码和整体功能不同。因此,在这一点上,我们假设CloudSorcerer是一个采用了与公共云服务交互技术的新参与者。
Victims 受害者
Government organizations in the Russian Federation.
俄罗斯联邦的政府组织。
Conclusions 结论
The CloudSorcerer malware represents a sophisticated toolset targeting Russian government entities. Its use of cloud services such as Microsoft Graph, Yandex Cloud, and Dropbox for C2 infrastructure, along with GitHub for initial C2 communications, demonstrates a well-planned approach to cyberespionage. The malware’s ability to dynamically adapt its behavior based on the process it is running in, coupled with its use of complex inter-process communication through Windows pipes, further highlights its sophistication.
CloudSorcerer 恶意软件代表了针对俄罗斯政府实体的复杂工具集。它使用云服务,如Microsoft Graph,Yandex Cloud和Dropbox进行C2基础设施,以及GitHub进行初始C2通信,展示了一种精心策划的网络间谍方法。该恶意软件能够根据其运行的进程动态调整其行为,再加上它通过 Windows 管道使用复杂的进程间通信,进一步凸显了其复杂性。
While there are similarities in modus operandi to the previously reported CloudWizard APT, the significant differences in code and functionality suggest that CloudSorcerer is likely a new actor, possibly inspired by previous techniques but developing its own unique tools.
虽然在作案手法上与之前报道的 CloudWizard APT 有相似之处,但代码和功能的显着差异表明 CloudSorcerer 可能是一个新参与者,可能受到以前技术的启发,但开发了自己独特的工具。
Indicators of Compromise
妥协指标
File Hashes (malicious documents, Trojans, emails, decoys)
文件哈希(恶意文档、特洛伊木马、电子邮件、诱饵)
| F701fc79578a12513c369d4e36c57224 | CloudSorcerer 云巫师 |
Domains and IPs 域和 IP
| hxxps://github[.]com/alinaegorovaMygit | CloudSorcerer C2 云巫师 C2 |
| hxxps://my.mail[.]ru/yandex.ru/alinaegorova2154/photo/1 | CloudSorcerer C2 云巫师 C2 |
Yara Rules 雅苒规则
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
|
rule apt_cloudsorcerer {
meta:
description = “Detects CloudSorcerer”
author = “Kaspersky”
copyright = “Kaspersky”
distribution = “DISTRIBUTION IS FORBIDDEN. DO NOT UPLOAD TO ANY MULTISCANNER OR SHARE ON ANY THREAT INTEL PLATFORM”
version = “1.0”
last_modified = “2024-06-06”
hash = “F701fc79578a12513c369d4e36c57224”
strings:
$str1 = “Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko”
$str2 = “c:\\windows\\system32\\mspaint.exe”
$str3 = “C:\\Windows\\system32\\msiexec.exe”
$str4 = “\\\\.\\PIPE\\”
condition:
uint16(0) == 0x5A4D and
all of ($str*)
}
|
MITRE ATT&CK Mapping MITRE ATT&CK 映射
| Tactic 策略 | Technique 技术 | Technique Name 技术名称 |
| Execution 执行 | T1059.009 | Command and Scripting Interpreter: Cloud API 命令和脚本解释器:Cloud API |
| T1559 | Inter-Process Communication 进程间通信 |
|
| T1053 | Scheduled Task/Job 计划任务/作业 | |
| T1047 | Windows Management Instrumentation | |
| Persistence 坚持 | T1543 | Create or Modify System Process 创建或修改系统进程 |
| T1053 | Scheduled Task/Job 计划任务/作业 | |
| Defense Evasion 防御规避 | T1140 | Deobfuscate/Decode Files or Information 对文件或信息进行反混淆/解码 |
| T1112 | Modify Registry 修改注册表 | |
| Discovery 发现 | T1083 | File and Directory Discovery 文件和目录发现 |
| T1046 | Network Service Discovery 网络服务发现 |
|
| T1057 | Process Discovery 流程发现 | |
| T1012 | Query Registry 查询注册表 | |
| T1082 | System Information Discovery 系统信息发现 |
|
| Collection 收集 | T1005 | Data from Local System 来自本地系统的数据 |
| Command and Control 命令与控制 | T1102 | Web Service Web 服务 |
| T1568 | Dynamic Resolution 动态分辨率 | |
| Exfiltration 外泄 | T1567 | Exfiltration Over Web Service 通过 Web 服务外泄 |
| T1537 | Transfer Data to Cloud Account 将数据传输到云帐户 |
原文始发于securelist:CloudSorcerer – A new APT targeting Russian government entities
转载请注明:CloudSorcerer – A new APT targeting Russian government entities | CTF导航
相关文章
