A sophisticated threat actor, Cloud Atlas, has launched new cyber attacks in 2024 utilizing a previously unknown malware called VBCloud. The campaign, discovered by Kaspersky, primarily targets Russian users, with additional victims identified in Belarus, Canada, Moldova, Israel, Kyrgyzstan, Turkey, and Vietnam.
The attack begins with phishing emails containing malicious Microsoft Office documents that exploit the CVE-2018-0802 vulnerability in the formula editor. Upon opening, the document downloads a malicious RTF template, leading to the deployment of multiple malware components:
1. VBShower: Initial backdoor that facilitates the installation of additional payloads
2. PowerShower: A PowerShell-based backdoor with network infiltration capabilities
3. VBCloud: A new malware variant utilizing public cloud storage for command-and-control communications
PowerShower’s capabilities include:
– Active Directory reconnaissance
– Dictionary attack execution
– Kerberoasting attacks
– Administrator group enumeration
– System information gathering
VBCloud focuses on data theft, collecting:
– System metadata
– Disk information
– Document files (DOC, DOCX, XLS, XLSX, PDF, TXT, RTF, RAR)
– Telegram application data
The threat actor, also known as Clean Ursa, Inception, Oxygen, and Red October, has been active since 2014 and continues to evolve its tactics and tools for cyber espionage operations.