Cloud Atlas Deploys VBCloud Malware: Over 80% of Targets Found in Russia

Cloud Atlas VBCloud Malware Analysis and Phishing Attacks:

Key Highlights

1. Cloud Atlas Malware Campaign:

   • Threat Actor: Cloud Atlas, an unattributed threat activity cluster active since 2014, has been observed using a previously undocumented malware called VBCloud13.
   • Malware Deployment: The malware is deployed via phishing emails containing malicious documents that exploit a vulnerability in Microsoft Office's formula editor (CVE-2018-0802)12.

2. CVE-2018-0802 Exploitation:

   • Vulnerability: The exploit downloads an HTML Application (HTA) file via an RTF template, which then runs the HTA file. This leverages the alternate data streams (NTFS ADS) feature to extract and create several files at %APPDATA%\Roaming\Microsoft\Windows. These files make up the VBShower backdoor1.

3. Malware Functionality:

   • VBShower Backdoor: Designed to retrieve more VBS payloads from a command-and-control (C2) server. It has capabilities to reboot the system, gather information about files and processes, and install PowerShower and VBCloud1.
   • PowerShower: Similar to VBShower but downloads and executes next-stage PowerShell scripts from the C2 server. It also serves as a downloader for ZIP archive files1.
   • VBCloud: Utilizes public cloud storage for C2 communications. It gets triggered by a scheduled task every time a victim user logs into the system. VBCloud collects and uploads system information and other data, employing various PowerShell scripts to perform tasks on the victim's system13.

4. Targeting Russian Users:

   • Primary Targets: Over 80% of the targets were located in Russia. A lesser number of victims have been reported from Belarus, Canada, Moldova, Israel, Kyrgyzstan, Turkey, and Vietnam1.

5. Attack Chain:

   • The infection chain consists of several stages:
     1. Phishing Email: Contains a booby-trapped Microsoft Office document.
     2. RTF Template: Downloads a malicious template formatted as an RTF file from a remote server.
     3. CVE-2018-0802 Exploit: Abuses the flaw in the Equation Editor to fetch and run an HTA file.
     4. VBShower Backdoor: Extracts and creates several files at %APPDATA%\Roaming\Microsoft\Windows.
     5. PowerShower and VBCloud Installation: Retrieves and installs PowerShower and VBCloud payloads1.

Detailed Context

Cloud Atlas has been linked to various cyber attacks since 2014, including spear-phishing attacks that exploited old Microsoft Office Equation Editor flaws to drop Visual Basic Script (VBS) payloads1. The latest campaign involves the deployment of VBCloud malware, which targets Russian users primarily. The malware uses phishing emails containing malicious documents that exploit CVE-2018-0802 to download and execute malware code.

Trustworthy Citations

• Kaspersky Research: Oleg Kupreev's analysis published this week details the attack chain and functionality of VBShower and VBCloud1.
• Kaspersky Reports: Mentioned in multiple sources, including The Hacker News and TechEpages, for its comprehensive analysis of the malware and its exploitation techniques12.
• Cloud Atlas APT Profile: Risky Business and Morningstar Security News provide additional context on Cloud Atlas's activities and the new tool VBCloud35.