In the rapidly evolving landscape of cyber threats, the activities of certain advanced persistent threat (APT) groups continue to garner significant attention. One such group, known as Cloud Atlas, has been in operation since 2014 and is recognized for its persistent targeting of entities primarily within Russia and surrounding regions. In recent developments, the group has introduced a new malware strain, VBCloud, as part of its evolving attack arsenal. Researchers have been closely monitoring the sophisticated tactics employed by Cloud Atlas, revealing a complex multi-stage attack chain that underscores the group’s capability and persistence.
Malware Distribution Tactics
Phishing Emails and Malicious Office Documents
The primary method of infection favored by Cloud Atlas involves the use of phishing emails containing malicious Microsoft Office documents. These documents are designed to exploit known vulnerabilities within the formula and equation editors, specifically CVE-2018-0802 and CVE-2017-11882. When an unsuspecting victim opens one of these malicious documents, it sets off a chain reaction that results in the download of additional malware components. This approach not only leverages well-known vulnerabilities but also demonstrates the group’s ability to adapt and refine their methods over time.
Once the infected document is opened, it downloads a malicious template formatted as an RTF file from a remote server. This template exploits the CVE-2018-0802 vulnerability to download and execute an HTML Application (HTA) file. The HTA file further leverages NTFS alternate data streams (ADS) to create the necessary files for the VBShower backdoor, which is instrumental in facilitating further malware downloads, including PowerShower and VBCloud. This tightly orchestrated series of actions underscores the sophistication of Cloud Atlas’s malware distribution tactics, highlighting their ability to seamlessly integrate various attack components.
Exploiting CVE Vulnerabilities
The exploitation of vulnerabilities CVE-2018-0802 and CVE-2017-11882 plays a central role in the success of Cloud Atlas’s campaigns. These vulnerabilities within Microsoft Office’s formula and equation editors have been widely documented, yet their persistent use by Cloud Atlas illustrates the continued importance of patch management and cybersecurity awareness among potential targets. Their proficiency in exploiting these vulnerabilities speaks volumes about the group’s technical capabilities and their commitment to refining their attack vectors.
Upon successful exploitation, the CVE-2018-0802 vulnerability is used to fetch and execute an HTML Application (HTA) file. This file leverages alternate data streams to create files necessary for the VBShower backdoor, which serves as a launchpad for further infection stages. The HTA file, through its sophisticated execution, showcases the intricate planning and technical finesse exhibited by Cloud Atlas. By focusing on these vulnerabilities, the group efficiently maximizes its chances of compromising target systems, thereby ensuring the successful deployment of its malicious payloads.
The Attack Chain: From Initial Compromise to Data Theft
VBShower and PowerShower: Malware Components
Once the VBShower backdoor is in place, it plays a critical role in the continued infection of the target system. This backdoor is designed to download additional Visual Basic Scripts (VBS) from the command-and-control (C2) server. These scripts can perform a variety of functions, including rebooting the system, gathering file information, and installing new malware components like PowerShower and VBCloud. The VBShower backdoor’s ability to dynamically download and execute these scripts provides Cloud Atlas with a versatile tool for sustaining and expanding its foothold within compromised systems.
The PowerShower component of the VBShower framework shares similar functionalities but specifically targets the downloading and execution of next-stage PowerShell scripts. Kaspersky has identified seven distinct PowerShell payloads linked to PowerShower, each crafted for a unique purpose. These payloads are designed to accomplish tasks such as retrieving local group information, conducting dictionary attacks, unpacking ZIP archives for Kerberoasting attacks, listing administrator groups and domain controllers, obtaining file details within the ProgramData folder, and extracting account and password policy settings. Each payload serves a distinct function, contributing to a comprehensive strategy for system infiltration and data theft.
Data Collection and Exfiltration via VBCloud
VBCloud, the latest addition to Cloud Atlas’s malware arsenal, closely mirrors the functionalities of VBShower but stands out due to its use of public cloud storage services for command-and-control communications. This component is triggered by a scheduled task upon system login, at which point it begins collecting extensive system information and files. Targeted file types include DOC, DOCX, XLS, XLSX, PDF, TXT, RTF, RAR, and even data related to the Telegram messaging app. VBCloud’s primary objective is data theft, reaffirming the group’s focus on exfiltrating valuable and sensitive information from compromised systems.
The meticulous design of VBCloud allows it to operate stealthily, gathering and transmitting data without raising immediate suspicions. Its use of public cloud storage services for C2 communications is particularly noteworthy, as it demonstrates the group’s ability to leverage modern technologies to evade detection and enhance operational resilience. By focusing on data theft, VBCloud underscores Cloud Atlas’s continued intent to harvest valuable information that can be exploited for financial gain, espionage, or further cyber operations.
Conclusion
In the dynamic and fast-changing arena of cyber threats, certain advanced persistent threat (APT) groups continue to attract significant attention. One notable group, Cloud Atlas, has been actively operating since 2014 and is particularly known for its relentless targeting of entities primarily located in Russia and the surrounding areas. Recently, this group has introduced a new malware strain called VBCloud, which forms part of their evolving toolkit for attacks. Cybersecurity researchers have been diligently tracking Cloud Atlas, uncovering the sophisticated and intricate tactics they utilize. These findings reveal a complex, multi-stage attack chain that exemplifies the group’s high capability and unwavering determination. This ongoing analysis highlights the ever-present and evolving nature of cyber threats posed by such APT groups, emphasizing the need for constant vigilance and advanced defense mechanisms to protect against their persistent attacks.