Cloud Atlas Leverages VBCloud Malware in Targeted Attacks

2025-01-02

A sophisticated threat actor known as Cloud Atlas has been observed deploying a novel malware named VBCloud in its recent cyberespionage campaigns. These attacks primarily targeted individuals within Russia, with a smaller number of victims identified in Belarus, Canada, Moldova, Israel, Kyrgyzstan, Turkey, and Vietnam.

The infection chain typically begins with a phishing email containing a malicious document. This document exploits a vulnerability in the Microsoft Office formula editor (CVE-2018-0802) to execute malicious code. This code then proceeds to download and install the VBCloud malware onto the victim’s system.

VBCloud is a versatile piece of malware capable of various malicious activities, including:

Data exfiltration: Stealing sensitive information such as documents, emails, and credentials.
System reconnaissance: Gathering information about the compromised system, such as installed software and network configuration.
Persistence: Establishing a foothold on the compromised system to maintain long-term access.

Command and control (C&C) communication: Communicating with the

Cloud Atlas, also known by aliases such as Clean Ursa, Inception, Oxygen, and Red October, is a well-established threat actor with a history of sophisticated cyberespionage operations. In December 2022, the group was linked to attacks targeting Russia, Belarus, and Transnistria, where they deployed a PowerShell-based backdoor called PowerShower.

This latest campaign involving VBCloud demonstrates the

What Undercode Says:

This campaign by Cloud Atlas underscores several key observations:

Sophistication: The use of a novel malware like VBCloud, combined with the exploitation of a known vulnerability, demonstrates the high level of technical sophistication employed by the threat actor.
Focus on Espionage: The targeting of individuals in specific countries strongly suggests a focus on cyberespionage activities, potentially aimed at gathering intelligence or stealing sensitive information.
Evolving Tactics: The shift from the PowerShell-based PowerShower backdoor to the VBCloud malware highlights the group’s ability to adapt its tactics and techniques to maintain operational effectiveness.
Need for Vigilance: This campaign serves as a stark reminder of the constant threat posed by advanced threat actors and the critical importance of robust cybersecurity defenses, including employee training on phishing threats, regular software updates, and the implementation of effective endpoint security solutions.

This campaign by Cloud Atlas highlights the ongoing challenges faced by organizations in combating sophisticated cyber threats. By understanding the tactics, techniques, and procedures (TTPs) employed by these threat actors, organizations can better protect themselves and mitigate the risks associated with these attacks.