Cloud Atlas threat actors used a new piece of polymorphic malware in recent attacks against government organizations.
The Cloud Atlas
The Cloud Atlas was first observed by researchers at Kaspersky Lab back in 2014, at the time the group was targeting government, diplomatic and research organizations. The campaign was dubbed by Kaspersky the return of Red October because the attackers targeted the same organizations of the previous campaign.
“From the beginning of 2019 until July, we have been able to identify different spear-phishing campaigns related to this threat actor mostly focused on Russia, Central Asia and regions of Ukraine with ongoing military conflicts.” reads the report published by Kaspersky Lab.
“Cloud Atlas hasn’t changed its TTPs (Tactic Tools and Procedures) since 2018 and is still relying on its effective existing tactics and malware in order to compromise high value targets.”
Most of the victims of the group were located in Russia, followed by Kazakhstan, Belarus, India and the Czech Republic. Over the year the group also targeted entitied in Ukraine, Moldova, Belgium, Iran, France, the United States, Turkey, Georgia, and Bulgaria.
Now the group continues to be mainly focused on Russia, but other victims were reported by Kaspersky in Kyrgyzstan, Turkmenistan, Ukraine, Turkey, Romania and Portugal. Most of the victims belong to government organizations, but researchers observed that attacks against Russian entities hit religious organizations, the aerospace industry and an international organization.
The Cloud Atlas attacks still leverage spear-phishing messages to target high profile victims. These emails are crafted with Office documents that use malicious remote templates that were hosted on remote servers.
In past attacks, Cloud Atlas was delivering a “
The threat actors
Since April 2019, Kaspersky researchers have observed the Cloud Atlas group using a new piece of malware tracked as VBShower in a new “polymorphic” infection chain. Cloud Atlas attackers were using a polymorphic HTA hosted on a remote server, which is used to drop the following different files on the local system:
- A backdoor tracked as VBShower which is polymorphic and replaces PowerShower as a
- A tiny launcher for VBShower
- A file computed by the HTA which contains contextual data such as the current user, domain, computer name and a list of active processes.
The “polymorphic” infection chain allows evading detection based on IoCs. Experts pointed out that each code is unique by
“The VBShower backdoor has the same philosophy of the
Kaspersky confirmed that Cloud Atlas attackers appeared to be Russian-speaking, but the security firm did not link it with any government.
“Cloud Atlas remains very prolific in Eastern Europe and Central Asia. The actor’s massive
“Unlike many other intrusion sets, Cloud Atlas hasn’t chosen to use open source implants during its recent campaigns, in order to be less discriminating. More interestingly, this intrusion set hasn’t changed its modular backdoor, even five years after its discovery.”
The post Recently Cloud Atlas used a new piece of polymorphic malware appeared first on Security Affairs.