Cloud Atlas Threat Group Updates Weaponry with Polymorphic Malware (Aug 12, 2019)
Cloud Atlas, an Advanced Persistent Threat (APT) group also known as Inception, has updated its attack techniques with new tools that allow it to avoid detection through standard indicators of compromise. Kaspersky researchers have seen Cloud Atlas targeting the international economics and aerospace industries as well as governmental and religious organizations in Russia, as well as Portugal, Romania, Turkey, Ukraine, and other countries. Cloud Atlas is distributed through spearphishing emails and, upon successful infiltration, it will collect system information and log passwords, and then exfiltrate recent files to a command and control server. This application collects initial information about the attacked computer, and executes malicious module “VBShower,” which erases evidence of the presence of malware. The main differentiator in the new infection chain is the fact that a malicious HTML application and the VBShower module are polymorphic, meaning the code in both modules will be new and unique in each case of infection.
Recommendation: All employees should be educated on the risks of spearphishing, specifically, how to identify such attempts and whom to contact if identified. Users are cautioned to only open attachments when correspondence and content is expected from the sender. While this particular activity is aimed at fooling security measures, it is highly recommended that anti-spam and antivirus protection be implemented and kept up-to-date with the latest version to better ensure security.
Indicators of Compromise (IOCs) associated with this story can be viewed by ThreatStream users here to identify potential malicious activity.