A sophisticated cyber-espionage group known as Cloud Atlas has been observed leveraging a critical Microsoft Office vulnerability to launch targeted attacks against organizations in Eastern Europe and Central Asia.
According to researchers, the group, active since 2014, has recently unveiled a new toolset that significantly enhances its ability to evade detection and compromise high-value targets.
The primary infection vector employed by Cloud Atlas involves carefully crafted phishing emails containing malicious documents. These documents exploit a vulnerability in Microsoft Office’s formula editor (CVE-2018-0802) to initiate a complex infection chain that ultimately leads to the deployment of advanced backdoors.
When a victim opens the malicious document, it triggers the download of a remote template file in RTF format from a server controlled by the attackers.
2024 MITRE ATT&CK Evaluation Results for SMEs & MSPs -> Download Free Guide
This template contains an exploit for the formula editor vulnerability, which in turn downloads and executes an HTML Application (HTA) file hosted on the same command and control (C2) server.
To evade detection and limit exposure, Cloud Atlas has implemented strict controls on the distribution of their malware. The RTF and HTA file downloads are restricted to specific time slots and can only be accessed from IP addresses within the targeted regions.
Once executed, the HTA file extracts and writes several components of the VBShower backdoor to the victim’s disk. VBShower then proceeds to download and install an additional backdoor called PowerShower, researchers noted.
This infection scheme has remained relatively consistent since its initial discovery in 2019, with only minor modifications over the years.
In a significant evolution of their tactics, Cloud Atlas has introduced a new backdoor called VBCloud. This implant replicates many of the capabilities previously associated with a separate DLL module, including the ability to download and execute malicious plug-ins, communicate with cloud servers, and perform various system tasks.
VBCloud was first detected in August 2023 and has since undergone numerous variations to maintain its stealthy profile.
The updated attack chain now involves loading VBCloud via VBShower, which also downloads the PowerShower module. PowerShower is responsible for probing the local network and facilitating further infiltration, while VBCloud focuses on collecting system information and exfiltrating files of interest.
Cloud Atlas has demonstrated a particular interest in targeting industries such as aerospace and international economics, as well as government agencies and religious organizations. Countries affected by their operations include Portugal, Romania, Turkey, Ukraine, Russia, Turkmenistan, Afghanistan, and Kyrgyzstan, among others.
The group’s persistent evolution and adoption of polymorphic malware techniques highlight the ongoing challenges faced by cybersecurity professionals in detecting and mitigating advanced persistent threats.
As Cloud Atlas continues to refine its tools and tactics, organizations in the targeted regions must remain vigilant and implement robust security measures to protect against these sophisticated cyber-espionage campaigns.
Investigate Real-World Malicious Links, Malware & Phishing Attacks With ANY.RUN – Try for Free