Cloud Atlas, a cyber-espionage group known for its focus on Eastern Europe and Central Asia, has significantly upgraded its arsenal in 2024. Recently, the group deployed two advanced tools, VBShower and VBCloud, alongside various PowerShell scripts to infiltrate and exploit targeted systems.
The group has been active since 2014 and uses phishing emails as its primary attack method. These emails deliver a multi-stage infection chain, leading to data theft and system compromise.
The infection begins when phishing emails contain malicious documents that exploit a well-known formula editor vulnerability (CVE-2018-0802). These documents download a malicious RTF-formatted template from a remote server when opened. This template exploits the vulnerability to retrieve an HTML Application (HTA) file.
The RTF and HTA files are designed to be time-sensitive and IP-restricted, ensuring only targeted victims can access them.
The HTA file extracts components of the VBShower backdoor and deposits them into specific directories on the victim’s system. VBShower then executes additional scripts and installs another backdoor, PowerShower. These tools connect to survey local networks, deepen infiltration, and exfiltrate data.
VBShower functions primarily as a multifunctional loader. It decrypts and executes payloads hidden within NTFS alternate data streams. Its capabilities include ensuring persistence by adding registry keys to auto-run components, downloading and executing encrypted VP scripts from its command-and-control (C2) server, and uploading outputs back to the server.
To evade detection, it removes malicious documents and artefacts post-infection.
In mid-2024, researchers discovered that Cloud Atlas introduced VBCloud, an advanced iteration of VBShower. VBCloud uses public cloud storage of its C2 infrastructure and specialises in advanced data exfiltration. It collects detailed system information, including OS details, usernames, and domain names.
It also identifies and archives recently modified files of interest, such as those with DOC, PDF, or XLS extensions, encrypts them, and uploads them to cloud storage before deleting the local copies. Furthermore, VBCloud downloads additional scripts, executes them in memory, and removes them from cloud storage to minimise evidence.
PowerShower operates as a complementary backdoor to VBShower, executing PowerShell scripts for network reconnaissance and lateral movement. It harvests credentials using dictionary attacks and Kerberaoasting operations via PowerSploit tools. PowerShower also inspects local directories for sensitive information and uploads findings to the C2 server.
Additionally, it enumerates Active Directory structures to map local groups, administrator accounts, and domain controllers, expanding its reach within the targeted network.
Researchers have urged organisations to defend against such sophisticated attacks proactively. Regularly updating software to patch vulnerabilities like CVE-2018-0802 is vital. Employing advanced email security measures to detect and block phishing attempts and comprehensive employee training can significantly reduce risks. Additionally, monitoring network traffic for anomalous behaviour that may indicate C2 communication is crucial.
In the News: Google Maps faces scrutiny over navigation challenges in West Bank
