Category | Details |
---|---|
Threat Actors | • Cloud Atlas (known since 2014). |
Campaign Overview | • Cloud Atlas targets Eastern Europe and Central Asia. • Infected victims via phishing emails exploiting CVE-2018-0802. • New toolset used in 2024 involving the VBShower and PowerShower backdoors. |
Target Regions | • Eastern Europe, Central Asia |
Methodology | • Victims receive phishing emails with malicious documents exploiting a formula editor vulnerability. • Malicious RTF template downloads HTA file which runs backdoors (VBShower, PowerShower). • Use of NTFS ADS to store and execute files. |
Product Targeted | • Windows systems (via exploitation of vulnerabilities). |
Malware Reference | • VBShower: Backdoor, Downloader, File Exfiltration. • PowerShower: Similar functionality to VBShower, focused on downloading and executing scripts. |
Tools Used | • VBShower: Decrypts and executes backdoors, installs additional malware. • PowerShower: Downloads additional PowerShell scripts. |
Vulnerabilities Exploited | • CVE-2018-0802: Vulnerability in Microsoft Office formula editor for code execution. |
TTPs | • Phishing emails containing malicious RTF files. • Use of NTFS alternate data streams (ADS) for hiding malware. • Download and execute additional payloads. • File exfiltration via WebDAV to cloud services. |
Attribution | • Cloud Atlas (also known as OCEAN Buffalo). |
Recommendations | • Improve email filtering and vulnerability patching. • Regularly monitor for unusual processes and registry changes. • Use endpoint detection tools to detect and block PowerShell scripts and unauthorized backdoors. |
Source | Securelist by Kaspersky |
Read full article: https://securelist.com/cloud-atlas-attacks-with-new-backdoor-vbcloud/115103/
The above summary has been generated by an AI language model
Leave a Reply