In a calculated cyberattack targeting Russian government and IT organizations, a new spear-phishing campaign, codenamed “EastWind,” has surfaced, delivering a slew of backdoors and trojans. This campaign is particularly alarming due to its sophisticated attack chains that culminate in the deployment of potent malware, including the recently identified PlugY backdoor and an updated version of the CloudSorcerer backdoor, now rebranded as GrewApacha.
The Anatomy of the EastWind Attack
At the core of the EastWind campaign is the use of RAR archive attachments, which are sent to targets via spear-phishing emails. These RAR files contain a seemingly innocuous Windows shortcut (LNK) file. However, once opened, this LNK file triggers a well-orchestrated infection sequence that ultimately leads to the deployment of the malware payloads. The use of LNK files in this manner is particularly devious, as it exploits a common feature in Windows operating systems to mask the malicious intent of the file.
PlugY: A New and Dangerous Implant
One of the standout features of the EastWind campaign is the deployment of PlugY, a backdoor that has not been documented before. According to Kaspersky, a leading Russian cybersecurity firm, PlugY is downloaded through the CloudSorcerer backdoor and comes equipped with an extensive array of commands. It supports three different protocols for communicating with its command-and-control (C2) server, making it a versatile tool for cyber espionage.
PlugY’s capabilities are comprehensive and include the ability to execute shell commands, monitor the device’s screen, log keystrokes, and capture clipboard content. The malware’s multi-faceted communication methods—using TCP, UDP, or named pipes—further complicate detection and removal efforts.
GrewApacha: The Evolved CloudSorcerer Backdoor
Another critical component of the EastWind campaign is the deployment of GrewApacha, a known backdoor that has been previously associated with the China-linked APT31 group. Like PlugY, GrewApacha is launched using DLL side-loading techniques, which involve tricking the operating system into loading a malicious DLL file instead of a legitimate one. This technique is particularly effective in evading traditional security defenses.
GrewApacha uses an attacker-controlled GitHub profile as a dead drop resolver. This profile stores a Base64-encoded string that serves as the actual C2 server, providing attackers with a stealthy and resilient way to maintain control over compromised systems. The reliance on legitimate platforms like GitHub adds another layer of complexity, as it makes it more difficult for defenders to distinguish between malicious and benign traffic.
CloudSorcerer: A Persistent Threat
The CloudSorcerer backdoor, now in its updated form as part of the EastWind campaign, continues to be a significant tool for cyber espionage. This sophisticated malware is designed for stealth monitoring, data collection, and exfiltration. It utilizes a variety of cloud services, including Microsoft Graph, Yandex Cloud, and Dropbox, to carry out its operations.
One of the defining features of CloudSorcerer is its use of encryption to protect its operations. The malware employs an encryption-based protection mechanism that ensures it is only executed on the intended victim’s computer. This is achieved by using a unique key derived from the Windows GetTickCount() function at runtime, adding another layer of complexity to the malware’s operation.
CloudSorcerer also leverages legitimate platforms like LiveJournal and Quora as initial C2 servers. These platforms are used to host encrypted authentication tokens within profile biographies, which are then used to interact with the cloud services. This clever use of legitimate services further complicates detection and takedown efforts, as it blends in with normal traffic on these platforms.
The Broader Implications of EastWind
The EastWind campaign’s use of popular network services as command servers is particularly concerning. According to Kaspersky, the attackers behind EastWind have utilized platforms like GitHub, Dropbox, Quora, as well as Russian services like LiveJournal and Yandex Disk to manage their C2 infrastructure. This approach not only makes it more difficult to trace the attackers but also allows them to exploit the trust and widespread use of these services.
In addition to the backdoors deployed via EastWind, Kaspersky has also disclosed a related watering hole attack. This attack involves compromising a legitimate website related to gas supply in Russia, using it to distribute a worm named CMoon. CMoon is a versatile malware capable of harvesting confidential and payment data, taking screenshots, downloading additional malware, and launching distributed denial-of-service (DDoS) attacks.
CMoon’s capabilities extend beyond data theft. The worm is designed to monitor connected USB drives, allowing it to steal files from removable media and spread itself to other computers via these drives. This functionality makes CMoon particularly dangerous, as it can propagate across networks and infect multiple systems with minimal user interaction.
Conclusion
The EastWind campaign represents a significant threat to Russian government and IT organizations, with its use of advanced malware like PlugY, GrewApacha, and CloudSorcerer. The attackers’ use of legitimate platforms for command-and-control operations complicates detection and mitigation efforts, making this campaign a challenging adversary for cybersecurity professionals. As the campaign continues to unfold, it highlights the need for vigilance and advanced defensive measures to protect against such sophisticated cyber threats.
Follow us on 
(Twitter) for real time updates and exclusive content.