Russian Targets Hit Hard: Cloud Atlas Unleashes New VBCloud Malware in Global Cyber Campaign

Russian Targets Hit Hard: Cloud Atlas Unleashes New VBCloud Malware in Global Cyber Campaign

Cloud Atlas Deploys New VBCloud Malware in Targeted Attacks

A sophisticated threat actor, Cloud Atlas, has launched new cyber attacks in 2024 utilizing a previously unknown malware called VBCloud. The campaign, discovered by Kaspersky, primarily targets Russian users, with additional victims identified in Belarus, Canada, Moldova, Israel, Kyrgyzstan, Turkey, and Vietnam.

The attack begins with phishing emails containing malicious Microsoft Office documents that exploit the CVE-2018-0802 vulnerability in the formula editor. Upon opening, the document downloads a malicious RTF template, leading to the deployment of multiple malware components:

1. VBShower: Initial backdoor that facilitates the installation of additional payloads
2. PowerShower: A PowerShell-based backdoor with network infiltration capabilities
3. VBCloud: A new malware variant utilizing public cloud storage for command-and-control communications

PowerShower’s capabilities include:
– Active Directory reconnaissance
– Dictionary attack execution
– Kerberoasting attacks
– Administrator group enumeration
– System information gathering

VBCloud focuses on data theft, collecting:
– System metadata
– Disk information
– Document files (DOC, DOCX, XLS, XLSX, PDF, TXT, RTF, RAR)
– Telegram application data

The threat actor, also known as Clean Ursa, Inception, Oxygen, and Red October, has been active since 2014 and continues to evolve its tactics and tools for cyber espionage operations.

Share This Article