Category | Details |
---|---|
Threat Actors | Cloud Atlas (also known as Clean Ursa, Inception, Oxygen, and Red October). |
Campaign Overview | A cyberattack campaign using VBShower, PowerShower, and VBCloud malware variants to exploit vulnerabilities, steal data, and infiltrate networks. |
Target Regions | Primarily Russia (80% of targets); additional victims in Belarus, Canada, Moldova, Israel, Kyrgyzstan, Turkey, and Vietnam. |
Methodology | Spear-phishing emails with malicious Office documents exploiting CVE-2018-0802 and CVE-2017-11882 to download and execute malware. |
Products Targeted | Microsoft Office (Equation Editor vulnerabilities); files matching extensions like DOC, DOCX, XLS, XLSX, PDF, TXT, RTF, and RAR; Telegram-related files. |
Malware Reference | VBShower, PowerShower, and VBCloud. |
Tools Used | Spear-phishing emails, malicious RTF templates, VBScript payloads, PowerShell scripts, alternate data streams (NTFS ADS), and public cloud storage for C2 communications. |
Vulnerabilities Exploited | CVE-2018-0802 and CVE-2017-11882 (Equation Editor vulnerabilities in Microsoft Office). |
TTPs | Exploiting vulnerabilities, phishing emails, file exfiltration, lateral movement, credential theft (Kerberoasting), and covering tracks via file cleaning scripts. |
Attribution | Active since 2014; linked to campaigns in Russia, Belarus, and Transnistria; uses PowerShell and VBScript-based tools for multi-stage attacks. |
Recommendations | Apply patches for CVE-2018-0802 and CVE-2017-11882, train employees on phishing awareness, monitor system logs, and restrict network and file access. |
Source | The Hackers News |
Read full article: https://thehackernews.com/2024/12/cloud-atlas-deploys-vbcloud-malware.html
The above summary has been generated by an AI language model
Leave a Reply