Skip to main content

Cloud Atlas augments its arsenal with polymorphic malware

By 28 August 2019No Comments

Cloud Atlas, an Advanced Persistent Threat (APT), also known as Inception, has updated its attack arsenal with new tools that allow it to evade detection through standard Indicators of Compromise. This updated chain of infections has been observed in several organizations in Eastern Europe, Central Asia and Russia.


Cloud Atlas is a criminal group with a long history of cyber-espionage operations targeting industries, government agencies and other entities. It was first identified in 2014 and continues to be active today. Recently, Kaspersky researchers noted that Cloud Atlas has targeted the financial and aerospace sectors internationally as well as government and religious organizations in several countries including Portugal, Romania, Turkey, Ukraine, Russia, Turkmenistan, Afghanistan and Kyrgyzstan. . Once Cloud Atlas has access, it is able to:


collect information about the system to which he has accessed


extract the .txt .pdf .xls .doc files from a command and control server


Cloud Atlas' modus operandi hasn't changed much since 2018, however recent waves of attacks have revealed that a new way of infecting victims is being used indicating how this group conducts lateral movement through their network.


In the first version, Cloud Atlas initiated the attack by sending a spear-fishing email containing a malicious attachment to a specific target. If successful, PowerShower, the attached malware used for the initial reconnaissance and to download additional malicious modules, was executed to allow the criminals to proceed with the operation.


The recently updated infection chain postpones PowerShower execution to a later stage; while, after the initial infection, a malicious HTML application is downloaded and executed on the target computer. At this point the application starts collecting information from the attacked computer and downloads and runs VBShower - another malicious module. VBShower then erases traces of the presence of the malware on the system and communicates with its creators via the command and control server to decide what further action to take. Depending on the command received, this malware will download and run PowerShower or another known Cloud Atlas second-level backdoor.


In addition to being much more complex, the new infection chain has as its main differentiator the fact that the malicious HTML application and the VBShower module are polymorphic. This means that the code in both modules will be new and unique with each infection. According to Kaspersky experts, this updated version runs for the purpose of making malware invisible to security solutions that rely on the most common Indicators of Compromise.


“It has become common practice in security communities to share Indicators of Compromise (IoC) related to malicious operations found during searches. This practice allows us to react promptly to international cyber-espionage operations and prevent further compromises. However, as we predicted as early as 2016, IoCs have become obsolete as tools for detecting a targeted attack within your network. This first emerged with ProjectSauron, which would create a unique set of IoCs for each of its victims and which continued to use open source tools, instead of unique tools, in their spying operations. This trend is confirmed by the recent example of polymorphic malware. This does not mean that it is becoming increasingly difficult to identify those responsible, but that security skills and defense toolkits must evolve as well as the tools and capabilities of cybercriminals, "said Felix Aime, security researcher at Kaspersky Global Research and Analysis Team.


Kaspersky recommends that companies equip themselves with anti-targeted solutions accompanied by Indicators of Attack (IoA) that focus on tactics, techniques or actions that criminals can take while preparing for an attack. IoAs track the techniques used regardless of the specific tools used. The latest versions of Kaspersky Endpoint Detection and Response and Kaspersky Anti Targeted Attack both feature a new IoA database, managed and updated by Kaspersky's expert threat hunters. "



#digife #website #website #ecommerce #ecommerce #webdesign #seo #digitalmarketing #graphicdesign #business #websitedesign #webdevelopment #webdesigner #branding #webdeveloper #socialmediamarketing #entrepreneur #startup #digital #malware #hacker #hacking #security #virus #cybercrime #antivirus #cyberattack #spyware




Can we help you? Chat