CTI Roundup: Threat Actor Updates. APT40, CloudSorcerer, Eldorado

In this week’s roundup, CTI highlights a global threat advisory about the China-linked actor known as APT40. Next, CTI looks at a new espionage threat actor tracked as CloudSorcerer that is targeting organizations with malware that can change its behavior based on the environment it is executed in. Also included is an overview of Eldorado, a ransomware-as-a-service (RaaS) operation that emerged in March.

1. APT40 rapidly exploits network vulnerabilities

Cybersecurity agencies from Australia, Germany, Japan, New Zealand, South Korea, the United Kingdom, and the United States released a joint advisory regarding the China-linked APT40.

APT40 has been around for a long time and has targeted a wide range of sectors and countries. According to the latest advisory, APT40 can quickly exploit newly identified vulnerabilities — often within hours or days of their public release.

The advisory details the tradecraft that was observed in Australian networks. The group is regularly carrying out reconnaissance efforts against networks of interest to look for an opportunity to attack.

Notable TTPs

• APT40 tends to use compromised devices as operational infrastructure and last-hop redirectors for operations in Australia, and likely elsewhere.
• The group often targets small-office/home-office (SOHO) devices that are end-of-life or unpatched and are therefore good candidates for vulnerability exploitation.
• After compromising the device, the actor uses it to launch attacks and blend in with legitimate traffic.

Two case studies

The joint advisory offers two case studies that demonstrate APT40’s capabilities.

• Case study 1: The security agencies looked at a successful compromise that occurred in 2022 that highlights the actor’s tradecraft.

In this example, the actor was observed enumerating hosts to create their own map of the network, deploying web shells as a way to execute commands, and deploying additional tools. APT40 moved laterally throughout the network which was made easier by the fact that the network had a rather flat structure.

• Case study 2: The advisory also looked at an additional APT40 attack in which an organization identified malicious software on one of their internet-facing servers that served as a login portal for their remote access solution.

APT40 enumerated hosts, exploited internet-facing applications, leveraged web shells, exploited software vulnerabilities, and collected credentials to achieve further lateral movement.

Analyst comments from Tanium’s Cyber Threat Intelligence team

APT40 can quickly exploit new vulnerabilities thanks to its regular and routine network reconnaissance activities.

The group may have a list of victims they are looking to target as opposed to being more opportunistic in nature, the latter of which is often the case with vulnerability exploitation.

APT40’s ability to take a vulnerability POC and use it in the wild successfully within such a short timeframe highlights the group’s sophistication.

2. CloudSorcerer APT targets Russian organizations

A new espionage threat actor, which is being tracked as CloudSorcerer, is actively targeting organizations with malware that can change its behavior based on the environment it is executed in.

CloudSorcerer is currently primarily targeting Russian organizations and has a heavy reliance on public cloud services for its command-and-control operations.

What is CloudSorcerer?

This actor was first discovered in May 2024. The group engages in monitoring, data collection, and data exfiltration via services like Microsoft Graph, Yandex Cloud, and Dropbox. The actor is known to use these public cloud services for its C2 and will access them via APIs using authentication tokens.

According to SecureList, the malware must be manually executed by the threat actor on a machine that is already infected. Its function will change depending on the process that it gets executed in. When it is executed, it will call a function to determine what process it is running in. The returned process name is compared to a hardcoded set of strings and the malware will activate a different function depending on the result of that comparison.

If the process name is mspaint.exe, the malware will function as a backdoor and will collect data and execute code. If the process name is found to be msiexec.exe the malware will kick off its C2 communication module. If the process name has the string ‘browser’ in it or if it doesn’t match a specific string then it will try to inject shellcode into msiexec.exe, mspaint.exe, or explorer.exe before killing the initial process.

CloudSorcerer’s backdoor module

The backdoor module gathers information about the machine, stores it, and writes it to a named pipe that is connected to the C2. It will read incoming data and will execute an action accordingly. Some of the actions it can execute include the collecting of additional information, the execution of shell commands, the copying/moving/renaming/deleting of files, and others.

It can also run additional tasks like clearing DNS cache, creating processes, deleting registry keys, enumerating shares, deleting users, enumerating RDP, and more.

CloudSorcerer’s C2 module

The C2 module will create a new Windows pipe and configure a connection to the C2 server. To do so it will provide arguments to a sequence of Windows API functions. The C2 server is a GitHub page and will be read into a memory buffer by the malware. The actor also tries to obtain data from a Russian cloud-based photo hosting site. This module will interact with cloud services to read data, receive commands, decode the commands, and send them to the backdoor module.

Infrastructure

The actor has been observed leveraging Yandex Cloud, Microsoft Graph, and Dropbox cloud URLs, in addition to the GitHub page and the Russian cloud-based photo hosting site.

Analyst comments from Tanium’s Cyber Threat Intelligence team

CloudSorcerer is jumping on the cloud bandwagon by leveraging public cloud services for things like C2. This is a common theme across the threat landscape right now.

What’s different is that the malware is executed manually and only after a machine has already been infected. It doesn’t appear as though there is much information available as to how this actor gets access to a compromised machine.

Nonetheless, the use of malware that chooses its primary function and purpose based on the process it is executed in reveals a certain degree of sophistication.

3. Eldorado threatens Windows and Linux systems

Eldorado is a new ransomware-as-a-service (RaaS) operation that emerged in March when it posted on underground forums looking for pentesters to join its team. It has a Windows and Linux variant and has already claimed 16 victims across multiple sectors since its emergence.

Eldorado emergence

A user that goes by “$$$” on the RAMP underground forum created an affiliate program for the Eldorado ransomware in mid-March 2024.

Posts from this user indicate that the actor speaks Russian. To generate a ransomware sample, affiliates will have to specify the name of the targeted company, the file name and the text for the ransom notes, and the domain admin password.

The Singapore-based cybersecurity firm Group-IB was able to obtain an encryptor and reported that it is available for esxi, esxi_64, win, and win_64.

Targeting and victimology

Eldorado ransomware has targeted at least 16 companies across multiple sectors. Thirteen of the 16 attacks occurred in the U.S. with two occurring in Italy and one in Croatia.

Technical details

The encryptor was written in Golang so that it is multi-platform capable. All of the files that get encrypted by Eldorado have .00000001 appended to them.

The ransomware will drop a ransom note that is written in the Documents and Desktop folder. It contains instructions for the victim to contact the actor via a particular URL for a live chat.

Eldorado’s Windows variant

The Windows Eldorado variant can accept multiple command line parameters. In the sample analyzed by Group-IB, they found that some logs were sent to a particular IP address via websockets. For encryption the ransomware uses Chacha20 for files, and RSA-OAEP for the generated key.

For each targeted file it generates a 32-byte key and a 12-byte nonce, both of which are encrypted with RSA-OAEP. The ransomware will run a PowerShell command to overwrite the encryptor and then delete the file to remove traces of its activities. It will also remove shadow volume copies. The ransomware will exclude certain file extensions like .00000001, .exe, .dll, .sys, .msi, .ini, .inf, and .lnk.

Eldorado’s Linux variant

The Linux encryptor only supports the “-path” argument and is quite simple. It will recursively walk through files of a specified directory. The encryption algorithm for this variant is the same as the Windows variant.

Analyst comments from Tanium’s Cyber Threat Intelligence team

According to Group-IB, Eldorado is particularly unique because it does not rely on previously leaked builders like Babuk or LockBit.

New ransomware strains emerge quite often, but many of them are modeled after these leaked builders. Eldorado’s creator clearly put more time and effort into the ransomware, choosing to build it from scratch.

This, along with the fact that there is already a Windows and Linux variant of the ransomware, and the fact that it has already claimed several victims makes Eldorado a more significant threat.

Do you have insight into these stories that you want to share? Head over to Tanium’s discussion forum and start a conversation.

For further reading, catch up on our recent cyber threat intelligence roundups.