Cloud Atlas Deploys New Malware: VBCloud Targets Primarily Russian Users

2025-01-03

The cybercriminal group known as Cloud Atlas has expanded its arsenal with the of VBCloud, a novel malware strain. This discovery, detailed in a recent analysis by Kaspersky researcher Oleg Kupreev, highlights the group’s ongoing activity and evolving tactics.

Cloud Atlas, also known by aliases like Clean Ursa, Inception, Oxygen, and Red October, has been operating since 2014. Their targets have historically included government entities, research institutions, and critical infrastructure organizations. The group’s latest campaign, which began in 2024, has seen them employ VBCloud to infect numerous users, with a significant majority (over 80%) residing in Russia. Other affected countries include Belarus, Canada, Moldova, Israel, Kyrgyzstan, Turkey, and Vietnam.

The infection chain begins with a phishing email containing a malicious document. This document exploits a vulnerability in the Microsoft Office formula editor (CVE-2018-0802) to download and execute the VBCloud malware onto the victim’s system. VBCloud itself is a versatile tool designed for data theft and remote system control.

Cloud

The emergence of VBCloud demonstrates Cloud Atlas’s continued evolution and adaptability. The group’s persistent focus on Russian targets suggests a specific geopolitical motivation, though the exact nature of these objectives remains unclear.

What Undercode Says:

This article highlights a concerning trend in cyberattacks: the emergence of new and sophisticated malware. VBCloud, the latest weapon in Cloud Atlas’s arsenal, showcases the group’s ability to innovate and adapt. The targeting of Russian entities underscores the increasing role of cyberattacks in geopolitical conflicts.

Several key takeaways can be drawn from this analysis:

The threat landscape is constantly evolving: Cybercriminals are constantly developing new tools and techniques, making it crucial for organizations to stay informed and adapt their defenses accordingly.
Phishing remains a significant threat vector: This attack demonstrates the continued effectiveness of phishing emails as a means of initial infection. Organizations must prioritize robust email security measures, including employee training on identifying and avoiding phishing attempts.
Vulnerability management is critical: The exploitation of CVE-2018-0802 highlights the importance of timely patching and vulnerability management. Organizations must ensure that all systems are updated with the latest security patches to mitigate the risk of exploitation.
Geopolitical tensions are fueling cyberattacks: The targeting of Russian entities suggests that cyberattacks are increasingly being used as a tool in geopolitical conflicts. This trend is likely to continue, requiring organizations to be prepared for the potential impact of such attacks.

The activities of Cloud Atlas serve as a stark reminder of the ever-present threat of cyberattacks. By understanding the group’s tactics and the evolving threat landscape, organizations can better protect themselves from these malicious actors.