Cloud Atlas Leverages New VBCloud Malware in Sophisticated Cyberattacks

2024-12-27

A persistent threat actor known as Cloud Atlas has been observed deploying a novel malware dubbed VBCloud as part of its ongoing cyberespionage campaigns. This sophisticated attack chain targets a diverse range of victims, with a significant focus on entities within Russia. The attacks leverage a combination of phishing emails, exploited vulnerabilities, and multiple malicious stages to achieve their objectives, including data exfiltration and lateral movement within targeted networks.

The Cloud Atlas group, also known by various aliases such as Clean Ursa, Inception, Oxygen, and Red October, has been active since 2014. Their recent operations have involved the use of VBShower, a multi-stage backdoor that employs Visual Basic Script (VBS) components. This intricate attack sequence begins with phishing emails containing malicious Microsoft Office documents.

Upon opening, these documents exploit vulnerabilities in the Microsoft Equation Editor, specifically CVE-2018-0802, to download and execute malicious HTML Application (HTA) files. These HTA files then leverage NTFS Alternate Data Streams to install the VBShower backdoor on the compromised system.

VBShower acts as a central hub, downloading and executing further VBS payloads, including PowerShower, another backdoor that operates primarily through PowerShell scripts. PowerShower exhibits a wide range of functionalities, including:

Network reconnaissance: Gathering information about local groups, user accounts, and domain controllers within the target network.
Credential theft: Conducting dictionary attacks on user accounts and performing Kerberoasting attacks to obtain credentials for Active Directory accounts.
Data exfiltration: Downloading and executing scripts to collect sensitive data from various locations within the compromised system.

In addition to PowerShower, VBShower also installs VBCloud, a unique malware component that leverages public cloud storage services for command-and-control communications. VBCloud focuses on collecting system information, including disk details, system metadata, and sensitive files, and exfiltrating this data to the threat actors’ servers.

What Undercode Says:

This sophisticated attack campaign highlights several key trends in modern cyberespionage:

Multi-stage attacks: The use of multiple stages, including phishing, exploitation, and various backdoor components, significantly increases the complexity of the attack chain and makes it more difficult to detect and respond to.
Leveraging legitimate tools and services: The use of public cloud storage for command-and-control communications demonstrates the increasing reliance of threat actors on legitimate services to conceal their malicious activities.
Focus on persistent access: The installation of multiple backdoors, such as VBShower and PowerShower, allows the attackers to maintain persistent access to the compromised system and conduct further reconnaissance and data exfiltration operations.

The Cloud Atlas

This incident serves as a stark reminder of the importance of strong cybersecurity defenses, including employee training on phishing threats, regular security assessments, and the deployment of advanced threat detection and response solutions.