‘Cloud Atlas’ cyber-espionage group add polymorphic components to its malware arsenal

Cloud Atlas the cyber-espionage gang is now using polymorphic malware as an addition to its weaponries for staying under the radar and not getting its activities identified and monitored using earlier garnered IOC (indicators of compromise).

Russia-based Kaspersky Labs the security company's Global Research and Analysis Team, during 2014, first identified the hackers' syndicate whose other name is Inception [1,2] to find that it familiarly targeted government organizations as well as numerous industrial entities through spear-phishing attacks.

At first Cloud Atlas was found attacking end-users chiefly inside Russia, but apart from this inside countries of Belarus, Kazakhstan, Czechoslovakia and India. Symantec in a 2018 report stated it had as well observed victims inside Belgium, Moldova, Ukraine, USA, France, Iran, Bulgaria, Georgia and Turkey. www.securityweek.com posted this, August 12, 2019.

And though it seems Russia is still the chief country being attacked, Kaspersky of late detected attacks aimed at targets inside Ukraine, Turkmenistan, Kyrgyzstan, Portugal, Romania and Turkey. Most of the entities attacked apparently are government agencies, however, within Russia Cloud Atlas as well attacked the country's aerospace sector, religious organizations along with one international organization.

Also though Cloud Atlas hasn't changed its malware and TTP (Tactics, Techniques and Procedures) in its operations from 2018 if not earlier, the hackers' syndicate is now using fresh polymorphic malicious software bearing HTML Application along with VBShower a backdoor.

Within the sequence of infections the hackers deploy, the first phase involves dispatching a spear-phishing e-mail at the address of one high-value entity. The e-mail would carry one Microsoft Office file embedded having remote templates which in case downloaded would install and run harmful payloads. Following this, one malevolent HTML app would garner information about the operating system while install another module known as VBShower. The module would erase the maximum possible traces of infection left inside the host system followed with establishing an interaction mode between the malicious software and command-and-control infrastructure of the operator.

Kaspersky researchers have noted that both VBShower as well as the HTML are polymorphic components. Consequently, it poses difficulty for security solutions to detect the components which depend upon 'indicators of compromise.'

» SPAMfighter News - 8/20/2019