The threat actor known as Cloud Atlas has been observed using a previously undocumented malware called VBCloud as part of its cyber attack campaigns targeting “several dozen users” in 2024.
“Victims get infected via phishing emails containing a malicious document that exploits a vulnerability in the formula editor (CVE-2018-0802) to download and execute malware code,” Kaspersky researcher Oleg Kupreev said in an analysis published this week.
More than 80% of the targets were located in Russia. A lesser number of victims have been reported from Belarus, Canada, Moldova, Israel, Kyrgyzstan, Turkey, and Vietnam.
Also referred to as Clean Ursa, Inception, Oxygen, and Red October, Cloud Atlas is an unattributed threat activity cluster that has been active since 2014. In December 2022, the group was linked to cyber attacks aimed at Russia, Belarus, and Transnistria that deployed a PowerShell-based backdoor called PowerShower.
Then exactly a year later, Russian cybersecurity company F.A.C.C.T. revealed that various entities in the country were targeted by spear-phishing attacks that exploited an old Microsoft Office Equation Editor flaw (CVE-2017-11882) to drop a Visual Basic Script (VBS) payload responsible for downloading an unknown next-stage VBS malware.
Kaspersky’s latest report reveals that these components are part of what it calls VBShower, which is then used to download and install PowerShower as well as VBCloud.
The starting point of the attack chain is a phishing email that contains a booby-trapped Microsoft Office document that, when opened, downloads a malicious template formatted as an RTF file from a remote server. It then abuses CVE-2018-0802, another flaw in the Equation Editor, to fetch and run an HTML Application (HTA) file hosted on the same server.
“The exploit downloads the HTA file via the RTF template and runs it,” Kupreev said. “It leverages the alternate data streams (NTFS ADS) feature to extract and create several files at %APPDATA%RoamingMicrosoftWindows. These files make up the VBShower backdoor.”
This includes a launcher, which acts as a loader by extracting and running the backdoor module in memory. The other VB Script is a cleaner that cares of erasing the contents of all files inside the “LocalMicrosoftWindowsTemporary Internet FilesContent.Word” folder, in addition to those within itself and the launcher, thereby covering up evidence of the malicious activity.
The VBShower backdoor is designed to retrieve more VBS payloads from the command-and-control (C2) server that comes with capabilities to reboot the system; gather information about files in various folders, names of running processes, and scheduler tasks; and install PowerShower and VBCloud.
PowerShower is analogous to VBShower in functionality, the chief difference being that it downloads and executes next-stage PowerShell scripts from the C2 server. It’s also equipped to serve as a downloader for ZIP archive files.
As many as seven PowerShell payloads have been observed by Kaspersky. Each of them carries out a distinct task as follows –
- Get a list of local groups and their members on remote computers via Active Directory Service Interfaces (ADSI)
- Conduct dictionary attacks on user accounts
- Unpack the ZIP archive downloaded by PowerShower and execute a PowerShell script contained within it in order to carry out a Kerberoasting attack, which is a post-exploitation technique for obtaining credentials for Active Directory accounts
- Get a list of administrator groups
- Get a list of domain controllers
- Get information about files inside the ProgramData folder
- Get the account policy and password policy settings on the local computer
VBCloud also functions a lot like VBShower, but utilizes public cloud storage service for C2 communications. It gets triggered by a scheduled task every time a victim user logs into the system.
The malware is equipped to harvest information about disks (drive letter, drive type, media type, size, and free space), system metadata, files and documents matching extensions DOC, DOCX, XLS, XLSX, PDF, TXT, RTF, and RAR, and files related to the Telegram messaging app.
“PowerShower probes the local network and facilitates further infiltration, while VBCloud collects information about the system and steals files,” Kupreev said. “The infection chain consists of several stages and ultimately aims to steal data from victims’ devices.”
