Cloud Atlas hackers use old Office flaws in cyber espionage campaign
Take action: If you are using Microsoft Office and haven't patched it since 2018, you deserve to be hacked. Be mindful of unexpected emails and don't open attachments unless your Microsoft Office is fully patched. Also make sure to patch your Windows and have an active and updated antivirus.
Learn More
A sophisticated cyber espionage campaign has been revealed by Kaspersky researchers after analysis of the activities of the threat actor known as Cloud Atlas (also identified as Clean Ursa, Inception, Oxygen, and Red October).
The group, which has been active since 2014, has been observed targeting several dozen users in 2024 with a previously undocumented malware called VBCloud. The campaign has primarily focused on Russia, which accounts for over 80% of the victims, with additional targets identified in Belarus, Canada, Moldova, Israel, Kyrgyzstan, Turkey, and Vietnam.
The attack chain begins with phishing emails containing malicious Microsoft Office documents. When opened, these documents download a malicious RTF template that exploits a vulnerability in the Microsoft Office Equation Editor CVE-2018-0802 (CVSS score 7.8) to fetch and execute an HTML Application file. This initial compromise leads to the deployment of a multi-stage malware arsenal consisting of three main components: VBShower, PowerShower, and VBCloud.
The VBShower backdoor serves as the initial payload, deploying a launcher and cleaner component. It is capable of performing system reboots, gathering system information, and installing additional payloads. The malware uses alternate data streams (NTFS ADS) to extract and create several files in the Windows system, while implementing cleaning mechanisms to erase evidence of its activities.
PowerShower, a PowerShell-based backdoor, functions as a sophisticated tool for network infiltration and reconnaissance. It downloads and executes additional PowerShell scripts with various capabilities, including Active Directory enumeration, dictionary attacks, Kerberoasting attacks for credential harvesting, administrator group enumeration, domain controller discovery, and password policy analysis.
The third component, VBCloud, represents an evolution in the group's tactics by utilizing public cloud storage for command-and-control communications. This malware activates through a scheduled task at user login and focuses on data collection, targeting specific file types including office documents (DOC, DOCX, XLS, XLSX), PDFs, text files, and even Telegram-related files. It also gathers comprehensive system information, including disk details and system metadata.
