A threat actor known as Cloud atlas a previously undocumented malware called VBCloud was seen being used in cyberattack campaigns targeting “several dozen users” in 2024.
“Victims are infected via phishing emails containing a malicious document that exploits a vulnerability in the formula editor (CVE-2018-0802) to download and execute malicious code,” Kaspersky researcher Oleg Kupreev said in an analysis published this week.
More than 80% of the objects were located in Russia. A smaller number of victims was reported from Belarus, Canada, Moldova, Israel, Kyrgyzstan, Turkey and Vietnam.
Cloud Atlas is also called Clean Ursa, Inception, Oxygen and Red October unattributed threat cluster which has been in effect since 2014. In December 2022 group was linked to cyberattacks targeting Russia, Belarus, and Transnistria that deployed a PowerShell-based backdoor called PowerShower.
Then, exactly one year later, the Russian cyber security company FACCT revealed that various organizations in the country have been targeted by phishing attacks exploiting an old flaw in the Microsoft Office Equation Editor (CVE-2017-11882) to remove the Visual Basic Script (VBS) payload responsible for loading the unknown VBS next stage malware.
Kaspersky’s latest report reveals that these components are part of what it calls VBShower, which is then used to download and install PowerShower as well as VBCloud.
The starting point of the attack chain is a phishing email containing a mined Microsoft Office document that, when opened, downloads a malicious template in RTF file format from a remote server. Then he abuses CVE-2018-0802another flaw in the equation editor is to retrieve and run an HTML application (HTA) file that resides on the same server.
“The exploit downloads the HTA file via an RTF template and executes it,” Kupreev said. “It uses the Alternate Data Streams feature (NTFS ADS) to extract and create multiple files in %APPDATA%\Roaming\Microsoft\Windows\. These files make up the VBShower backdoor.”
This includes a launcher that acts as a bootloader, extracting and running the backdoor module in memory. Another VB script is a cleaner that takes care of erasing the contents of all files in the “\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\” folder, in addition to the files in itself and the launcher, thus hiding evidence of malicious activities.
The VBShower backdoor is designed to receive more VBS payloads from a command and control (C2) server that comes with system reboot capabilities; collect information about files in different folders, names of running processes and scheduler tasks; and install PowerShower and VBCloud.
PowerShower is similar in functionality to VBShower, the main difference being that it downloads and executes next-stage PowerShell scripts from the C2 server. It is also equipped to serve as a loader for ZIP archive files.
Kaspersky observed seven PowerShell payloads. Each of them performs a certain task:
- Get a list of local groups and their members on remote computers through the Active Directory Service Interface (ADSI)
- conduct dictionary attacks on user accounts
- Extract the ZIP archive downloaded by PowerShower and run the PowerShell script it contains to execute Kerberoasting an attack that a post-operational engineering to obtain credentials for Active Directory accounts
- Get a list of admin groups
- Get a list of domain controllers
- Get information about files in ProgramData folder
- Get account policy and password policy settings on the local computer
VBCloud also functions very similarly to VBShower, but uses a public cloud storage service for C2 communication. It is run by a scheduled task whenever the victim user logs on.
The malware is capable of collecting drive information (drive letter, drive type, media type, size, and free space), system metadata, files, and documents that match DOC, DOCX, XLS, XLSX, PDF, TXT, RTF, and RAR extensions. and files related to the Telegram messaging app.
“PowerShower scans the local network and facilitates further penetration, while VBCloud collects system information and steals files,” Kupreev said. “The infection chain consists of several steps and ultimately aims to steal data from victims’ devices.”
