Spydamonkey Digital Blog | Cloud Atlas Hackers Add Polymorphic Ma


Spydamonkey Digital Blog


Cloud Atlas Hackers Add Polymorphic Malware to Their Toolkit

Cyber-espionage group Cloud Atlas has added polymorphic malware to its arsenal to avoid having its operations detected and monitored with the help of previously collected indicators of compromise (IOCs).

The hacking group also known as Inception [12] was initially identified in 2014 by Kaspersky's Global Research and Analysis Team researchers, and it has a history of targeting government agencies and entities from a wide range of industries via spear-phishing campaigns.

While the malware and Tactics, Techniques, and Procedures (TTP) Cloud Atlas uses during its operations has remained unchanged since at least 2018, the APT group has now added new polymorphic HTML Application malware dropper in the form of a malicious HTA and a backdoor dubbed VBShower.

Old Cloud Atlas infection chain
Old Cloud Atlas infection chain

The new infection chain Cloud Atlas employs to infect its targets has been observed by Kaspersky's research team on compromised machines owned by organizations from in Central Asia, Eastern Europe, and Russia, starting with April 2019.

After successfully infiltrating a target's systems, the threat actors will make use of their malware's document stealer, password grabbing, and info gathering modules to collect and exfiltrate information which gets sent to command and control (C2) servers they control.

Unlike previous campaigns operated by the threat group which started by dropping its PowerShower PowerShell-based validator implant following the exploitation of the CVE-2017-11882and CVE-2018-0802 flaws in Microsoft Office, new attacks observed by Kaspersky start by downloading and launching the polymorphic HTA.

"The newly updated chain of infection postpones the execution of PowerShower until a later stage. Instead, after the initial infection, a malicious HTML app is now downloaded and executed on the target machine," says the report.

New Cloud Atlas infection chain
New Cloud Atlas infection chain

"This application will then collect initial information about the attacked computer and download and execute VBShower, another malicious module."

The VBShower backdoor which also replaces PowerShower as a validator module is then used to download and execute a PowerShower installer or another previously detected and analyzed Cloud Atlas second stage backdoor installer.

Right before the second stage installers are dropped on the compromised systems following commands delivered by its masters, VBShower will also make sure that all evidence of the malware is erased.

"While this new infection chain is more complicated than the previous model, its main differentiator is that a malicious HTML application and the VBShower module are polymorphic," add the researchers.

This makes it possible for the hacking group to always infect their targets using modules that will appear as unique and new, thus making it a lot harder if not impossible for their malicious implants to be detected with the help of previously found IOCs.

Recent Cloud Atlas targets
Recent Cloud Atlas targets

"[..] IoC have become obsolete as a reliable tool to spot a targeted attack in your network. This first emerged with ProjectSauron, which would create a unique set of IoC for each of its victims and continued with the trend of using open source tools in espionage operations instead of unique ones," says GReAT reseacher Felix Aime.

"Now this is continuing with this recent example of polymorphic malware. This doesn’t mean that actors are becoming harder to catch, but that security skills and the defenders toolkit needs to evolve along with the toolkit and skills of the malicious actors they are tracking."

Kaspersky's research team provides a full list of indicators of compromised (IOCs) for the current campaign, including C2 IP addresses, VBShower paths and registry keys, as well as some of the attacker e-mails detected during the recent attacks.