Cloud Atlas Targets Russia with New VBCloud Malware
Cloud Atlas Cyber Attacks: New VBCloud Malware Targets Global Users in 2024
In 2024, the notorious cyber threat actor known as Cloud Atlas has been detected deploying a previously undocumented malware strain named VBCloud. This sophisticated malware is part of a series of cyber attack campaigns that have targeted several dozen users worldwide, primarily in Russia. Kaspersky researcher Oleg Kupreev highlighted the alarming rise of these cyber threats, emphasizing the urgent need for enhanced cybersecurity measures.
Understanding the VBCloud Malware Attack
The VBCloud malware is typically distributed through phishing emails containing malicious documents. These documents exploit a vulnerability in the Microsoft Office formula editor (CVE-2018-0802), allowing the malware to download and execute harmful code once opened.
- Geographic Distribution of Attacks:
- Over 80% of the victims are based in Russia.
- Other affected countries include Belarus, Canada, Moldova, Israel, Kyrgyzstan, Turkey, and Vietnam.
Cloud Atlas, also known as Clean Ursa, Inception, Oxygen, and Red October, has been active since 2014. In a related incident in December 2022, the group was implicated in cyber attacks against Russia, Belarus, and Transnistria, utilizing a PowerShell-based backdoor called PowerShower.
Phishing Tactics and Malware Chain
Kaspersky’s latest insights reveal that the attack chain begins with a phishing email that leads to a compromised Microsoft Office document. This document triggers the download of a malicious template formatted as an RTF file from a remote server.
- The malware exploits CVE-2018-0802 to download and execute an HTML Application (HTA) file, facilitating the installation of the VBShower backdoor.
- The VBShower backdoor then retrieves additional VBS payloads from a command-and-control (C2) server.
Key Features of VBShower and PowerShower Malware
The VBShower backdoor has been engineered to perform a variety of malicious tasks, including:
- Retrieving more VBS payloads.
- Rebooting the infected system.
- Collecting data about files and running processes.
- Installing the PowerShower and VBCloud malware.
PowerShower functions similarly to VBShower, with the primary difference being its ability to download and execute PowerShell scripts from the C2 server. Kaspersky has identified at least seven distinct PowerShell payloads, each designed for specific malicious actions, such as:
- Conducting dictionary attacks on user accounts.
- Executing Kerberoasting attacks to gain access to Active Directory credentials.
VBCloud: A New Threat in Cybersecurity
VBCloud operates like VBShower but communicates with its C2 using public cloud storage services. This malware is triggered by a scheduled task each time the victim logs into their system. Key capabilities of VBCloud include:
- Harvesting information about system disks and metadata.
- Collecting sensitive files, including documents with various extensions (DOC, DOCX, XLS, XLSX, PDF, TXT, RTF, RAR).
- Targeting files related to the Telegram messaging app.
Kupreev noted, "While PowerShower facilitates network infiltration, VBCloud focuses on system information gathering and file theft." This complex infection chain highlights the extensive threat posed by these advanced malware strains.
Conclusion: Stay Vigilant Against Cyber Threats
As cyber attacks continue to evolve, it is crucial for users and organizations to remain vigilant against threats like those posed by Cloud Atlas. Implementing robust cybersecurity practices can help mitigate the risks associated with malware such as VBCloud and PowerShower.
If you found this article insightful, we invite you to share your thoughts below or read more about cybersecurity threats on our related articles. Follow us on Twitter and LinkedIn for the latest updates and exclusive content.