In 2024, the threat actor known as Cloud Atlas has been identified using a new malware called VBCloud in cyber attack campaigns targeting multiple users. According to Kaspersky researcher Oleg Kupreev, victims are infected through phishing emails containing a malicious document that exploits a vulnerability in the formula editor (CVE-2018-0802) to download and execute malware code. The majority of targets were located in Russia, with some victims in Belarus, Canada, Moldova, Israel, Kyrgyzstan, Turkey, and Vietnam.
Cloud Atlas, also known as Clean Ursa, Inception, Oxygen, and Red October, is an unattributed threat activity cluster that has been active since 2014. The group has been linked to cyber attacks in Russia, Belarus, and Transnistria, using a PowerShell-based backdoor named PowerShower. In 2023, spear-phishing attacks targeting entities in Russia exploited an old Microsoft Office Equation Editor flaw (CVE-2017-11882) to drop a Visual Basic Script (VBS) payload, leading to the discovery of VBShower, PowerShower, and VBCloud.
The attack chain begins with a phishing email containing a malicious Microsoft Office document that downloads a malicious template in the form of an RTF file from a remote server. This template exploits CVE-2018-0802 to run an HTML Application (HTA) file, which in turn creates the VBShower backdoor. This backdoor includes a loader and a cleaner to cover up evidence of malicious activity.
VBShower is designed to retrieve VBS payloads from a command-and-control (C2) server, while PowerShower downloads and executes PowerShell scripts from the C2 server. PowerShower can also serve as a downloader for ZIP archive files. As many as seven PowerShell payloads have been observed by Kaspersky, each carrying out distinct tasks such as conducting dictionary attacks and obtaining credentials for Active Directory accounts.
VBCloud operates similarly to VBShower but uses public cloud storage for C2 communications. The malware collects information about the system, harvests specific file types, and probes the local network for further infiltration. The ultimate goal of the infection chain is to steal data from victims’ devices. The complex attack chain highlights the sophisticated tactics used by threat actors like Cloud Atlas to carry out cyber attacks and data theft.
Source link