Cloud Atlas Threat Group Adds Shape-Changing Attack Tools

security, hacking

Prolific cyber-espionage group uses polymorphic malware in targeted phishing emails, making threats more difficult to defend against

The Cloud Atlas threat group has added shape-shifting attack tools to its arsenal in recent months as it conducts targeted phishing attacks on high-profile targets including industrial and government entities, researchers have said.

The software aims to steal system information, as well as passwords and all recently modified text, PDF, and Microsoft Excel and Word documents.

The group, also known as Inception, has been active for at least five years and continues to use the same modular backdoor tool that has been serving it since 2014, Kaspersky Lab said.

But earlier this year it began using two polymorphic tools aimed at bypassing users’ defences in order to execute a document-stealing VBS implant called PowerShower.

Kaspersky Lab
Kaspersky Lab

Anti-forensics tools

Previously the attackers dropped PowerShower directly onto targeted systems, but using the new polymorphic HTML application (HTA) and VBS implant makes the attacks more difficult to defend against.

That’s because both tools continually change their characteristics, allowing them to get around signature-based defence systems.

Cloud Atlas’ more recent attacks use targeted phishing emails that, in the case of a successful infection, first download the remote HTML app, which gathers information about the system.

The app then downloads VBShower, which attempts to erase evidence of the presence of malware in the system.  VBShower is also capable of downloading either PowerShower or Cloud Atlas’ other long-standing second-stage backdoor.

“During its recent campaigns, Cloud Atlas used a new ‘polymorphic’ infection chain relying no more on PowerShower directly after infection, but executing a polymorphic HTA hosted on a remote server, which is used to drop three different files on the local system,” Kaspersky said in its advisory.

‘Massive’ campaigns

The company said Cloud Atlas remains “very prolific” in Eastern Europe and Central Asia, with attacks caried out mainly in Russia, Central Asia and independent regions of Ukraine.

“The actor’s massive spear-phishing campaigns continue to use its simple but effective methods in order to compromise its targets,” the firm said.

More interestingly, this intrusion set hasn’t changed its modular backdoor, even five years after its discovery.”

Kaspersky said firms should defend against shape-changing tools by using security systems capable of fending off attacks regardless of the specific means used.

The company said staff should also be educated to recognise potentially harmful emails.