Cloud Atlas Threat Group Adds Shape-Changing Attack Tools

The Cloud Atlas threat group has added shape-shifting attack tools to its arsenal in recent months as it conducts targeted phishing attacks on high-profile targets including industrial and government entities, researchers have said.

The software aims to steal system information, as well as passwords and all recently modified text, PDF, and Microsoft Excel and Word documents.

The group, also known as Inception, has been active for at least five years and continues to use the same modular backdoor tool that has been serving it since 2014, Kaspersky Lab said.

But earlier this year it began using two polymorphic tools aimed at bypassing users’ defences in order to execute a document-stealing VBS implant called PowerShower.

Kaspersky Lab

Anti-forensics tools

Previously the attackers dropped PowerShower directly onto targeted systems, but using the new polymorphic HTML application (HTA) and VBS implant makes the attacks more difficult to defend against.

That’s because both tools continually change their characteristics, allowing them to get around signature-based defence systems.

Cloud Atlas’ more recent attacks use targeted phishing emails that, in the case of a successful infection, first download the remote HTML app, which gathers information about the system.

The app then downloads VBShower, which attempts to erase evidence of the presence of malware in the system.  VBShower is also capable of downloading either PowerShower or Cloud Atlas’ other long-standing second-stage backdoor.

“During its recent campaigns, Cloud Atlas used a new ‘polymorphic’ infection chain relying no more on PowerShower directly after infection, but executing a polymorphic HTA hosted on a remote server, which is used to drop three different files on the local system,” Kaspersky said in its advisory.

‘Massive’ campaigns

The company said Cloud Atlas remains “very prolific” in Eastern Europe and Central Asia, with attacks caried out mainly in Russia, Central Asia and independent regions of Ukraine.

“The actor’s massive spear-phishing campaigns continue to use its simple but effective methods in order to compromise its targets,” the firm said.

More interestingly, this intrusion set hasn’t changed its modular backdoor, even five years after its discovery.”

Kaspersky said firms should defend against shape-changing tools by using security systems capable of fending off attacks regardless of the specific means used.

The company said staff should also be educated to recognise potentially harmful emails.

Matthew Broersma

Matt Broersma is a long standing tech freelance, who has worked for Ziff-Davis, ZDnet and other leading publications

Recent Posts

Apple Criticised For App User Tracking Alert

Plan for iOS 14 to give app users the option to decline ad tracking has…

2 days ago

UK Government To Acquire £400 Million Stake In OneWeb

Watch out SpaceX's Elon Musk? British government and Bharti Global announce deal to acquire satellite…

2 days ago

Mark Zuckerberg Says Advertisers Will Be Back ‘Soon Enough’

What boycott? Facebook's boss Mark Zuckerberg dismisses growing advertiser boycott of the platform over its…

2 days ago

Police ‘Crack’ EncroChat Encryption, Resulting In Hundreds Of Arrests

Organised crime around Europe has been dealt a huge blow after authorities cracked the encryption…

3 days ago

Coronavirus: Apple Closes More Stores In US

As Coronavirus infections rise in the United States, Apple continues to close down more of…

3 days ago

The Shape Of IT In A Post COVID-19 World

Global IT spend is projected to contract 8% in 2020, according to Gartner. Gartner expects…

3 days ago