Cloud Atlas Threat Group Adds Shape-Changing Attack Tools

The Cloud Atlas threat group has added shape-shifting attack tools to its arsenal in recent months as it conducts targeted phishing attacks on high-profile targets including industrial and government entities, researchers have said.

The software aims to steal system information, as well as passwords and all recently modified text, PDF, and Microsoft Excel and Word documents.

The group, also known as Inception, has been active for at least five years and continues to use the same modular backdoor tool that has been serving it since 2014, Kaspersky Lab said.

But earlier this year it began using two polymorphic tools aimed at bypassing users’ defences in order to execute a document-stealing VBS implant called PowerShower.

Kaspersky Lab

Anti-forensics tools

Previously the attackers dropped PowerShower directly onto targeted systems, but using the new polymorphic HTML application (HTA) and VBS implant makes the attacks more difficult to defend against.

That’s because both tools continually change their characteristics, allowing them to get around signature-based defence systems.

Cloud Atlas’ more recent attacks use targeted phishing emails that, in the case of a successful infection, first download the remote HTML app, which gathers information about the system.

The app then downloads VBShower, which attempts to erase evidence of the presence of malware in the system.  VBShower is also capable of downloading either PowerShower or Cloud Atlas’ other long-standing second-stage backdoor.

“During its recent campaigns, Cloud Atlas used a new ‘polymorphic’ infection chain relying no more on PowerShower directly after infection, but executing a polymorphic HTA hosted on a remote server, which is used to drop three different files on the local system,” Kaspersky said in its advisory.

‘Massive’ campaigns

The company said Cloud Atlas remains “very prolific” in Eastern Europe and Central Asia, with attacks caried out mainly in Russia, Central Asia and independent regions of Ukraine.

“The actor’s massive spear-phishing campaigns continue to use its simple but effective methods in order to compromise its targets,” the firm said.

More interestingly, this intrusion set hasn’t changed its modular backdoor, even five years after its discovery.”

Kaspersky said firms should defend against shape-changing tools by using security systems capable of fending off attacks regardless of the specific means used.

The company said staff should also be educated to recognise potentially harmful emails.

Matthew Broersma

Matt Broersma is a long standing tech freelance, who has worked for Ziff-Davis, ZDnet and other leading publications

Recent Posts

Facebook iOS App Bug Turns On Camera

Privacy alert. Facebook users complain that the social network's iOS app turns on the cameras found on Apple iPads and…

3 mins ago

Regulators Investigate Google Over Ascension Health Data Deal

Probe begins of Google, after deal that gives it access to healthcare data about millions of Americans

2 hours ago

Judge Approves US Searches Of Passenger Electronic Devices

US border agents only need “reasonable suspicion” and no search warrant to search travellers’ smartphones and laptops

4 hours ago

Apple AR Glasses Set For 2023 Debut – Report

Rumour mill. Apple's augmented reality venture will reportedly deliver its long-rumoured AR glasses released sometime in 2023

21 hours ago

Microsoft Pledges To ‘Honour’ California’s Privacy Rules

Redmond pledges to roll out California's strict CCPA privacy laws across the entire United States

21 hours ago

Plusnet CEO Steps Down As BT Tightens Grip

Long-serving boss of Yorkshire-based Internet Service Provider steps down as BT tightens grip

22 hours ago