Cloud Atlas Strikes Spear-Phishing Strikes

A cyber threat Cloud Atlas has been implicated in a series of targeted spear-phishing attacks directed at enterprises within Russia, specifically aimed at a prominent agro-industrial enterprise and a state-owned research institution.

F.A.C.C.T., an independent cybersecurity entity established post Group-IB’s withdrawal from Russia, revealed these attacks, shedding light on Cloud Atlas, an enigmatic cyber espionage group also recognized as Clean Ursa, Inception, Oxygen, and Red October, operating since at least 2014.

An extensive report by Check Point and Positive Technologies in December 2022 detailed the intricate stages of these attacks, unveiling the deployment of a PowerShell-based backdoor named PowerShower alongside DLL payloads capable of communicating with servers controlled by the threat actor. These attacks initiate with phishing messages embedded within lure documents exploiting CVE-2017-11882, a six-year-old memory corruption flaw within Microsoft Office’s Equation Editor, a tactic Cloud Atlas has been using since October 2018.

The observations in August 2019 highlighted the actor’s utilization of straightforward yet potent methods in its massive spear-phishing endeavors. Unlike other intrusion groups, Cloud Atlas refrains from using open-source implants to avoid detection.

Recent assessments from F.A.C.C.T. paralleled Positive Technologies’ descriptions, outlining the exploitation of CVE-2017-11882 via RTF template injections, enabling the execution of shellcode facilitating the download and execution of obfuscated HTA files. Notably, the malicious emails are sent through popular Russian email services like Yandex Mail.

The subsequent launch of malicious HTML applications triggers Visual Basic Script (VBS) files, ultimately fetching and executing undisclosed VBS code from a remote server.

Positive Technologies emphasized Cloud Atlas’ meticulous planning and consistency in attacks, maintaining an unchanged toolkit while evading detection by employing one-time payload requests, leveraging legitimate cloud storage, and exploiting well-documented software features, especially within Microsoft Office.

In parallel developments, reports surfaced of at least 20 Russian organizations falling victim to Decoy Dog, a modified version of Pupy RAT, attributed to an advanced persistent threat actor known as Hellhounds. This actively maintained malware allows remote control of infected hosts and transmits telemetry data to an automated account on Mastodon, adding complexities to its detection and analysis following its initial exposure by security researchers Stanislav Pyzhov and Aleksandr Grigorian.

To safeguard against the targeted spear-phishing assaults orchestrated by Cloud Atlas, organizations can fortify their defenses through a multi-pronged approach. Implementing stringent email security protocols, including advanced threat detection systems and continuous employee training, serves as a crucial defense against these sophisticated attacks. Employing behavioral analytics tools to monitor network activities enables the swift detection of suspicious patterns, bolstering the organization’s ability to thwart potential intrusions.