CloudWizard: an APT hiding in the dark for 7 years
In this talk, we will present the story of CloudWizard, an APT that has been targeting organizations in the Russo-Ukrainian conflict area. We first unveiled this APT in early 2023, while analyzing a campaign that we dubbed CommonMagic. While the nature of this campaign was highly targeted, it was unclear which threat actor was carrying out the discovered attacks. So, we decided to dig deeper, and our research led us to many interesting findings.
While searching for more clues, we found an even more sophisticated campaign with targets in Central and Western Ukraine. During our investigation, we discovered a previously unknown modular spyware. It has numerous features such as keylogging, screenshot taking and even stealing emails from webmail clients – we identified a total of 13 malicious modules.
Analysis of this sophisticated spyware helped us identify the threat actor behind the discovered campaigns. During our talk, we will tell how we managed to attribute the investigated implants to an APT that was last seen 7 years ago, back in 2016.
Mr. Georgy Kucherin
Georgy Kucherin is a junior researcher at Kaspersky’s Global Research and Analysis Team and a fourth-year student at Moscow State University. He is passionate about analysis of complex malware and reverse engineering. His previous research includes attribution of the SolarWinds attack, as well as thorough investigations into APTs such as Operation Triangulation, Turla, FinFisher, APT41 and Lazarus.
Mr. Leonid Bezvershenko
Leonid joined Kaspersky in 2020 as an intern in the Global Research and Analysis Team (GReAT). In 2021, he was invited to the GReAT as a Junior Security Researcher. In 2023, he was promoted to Security Researcher. In this role, Leonid focuses on open source security, reverse engineering, and malware analysis. His research includes the analysis of APT campaigns, such as Operation Triangulation and CloudWizard. Additionally, he is actively involved in the development of internal tools and infrastructure. Leonid is currently a student at Moscow State University’s Faculty of Computational Mathematics and Cybernetics. He is also a member of the Drovosec CTF team.