HomeCyber AttacksOver 80% of Targets Present in Russia

Over 80% of Targets Present in Russia

The menace actor referred to as Cloud Atlas has been noticed utilizing a beforehand undocumented malware known as VBCloud as a part of its cyber assault campaigns concentrating on “a number of dozen customers” in 2024.

“Victims get contaminated by way of phishing emails containing a malicious doc that exploits a vulnerability within the method editor (CVE-2018-0802) to obtain and execute malware code,” Kaspersky researcher Oleg Kupreev mentioned in an evaluation revealed this week.

Greater than 80% of the targets had been situated in Russia. A lesser variety of victims have been reported from Belarus, Canada, Moldova, Israel, Kyrgyzstan, Turkey, and Vietnam.

Additionally known as Clear Ursa, Inception, Oxygen, and Pink October, Cloud Atlas is an unattributed menace exercise cluster that has been lively since 2014. In December 2022, the group was linked to cyber assaults geared toward Russia, Belarus, and Transnistria that deployed a PowerShell-based backdoor known as PowerShower.

Cybersecurity

Then precisely a yr later, Russian cybersecurity firm F.A.C.C.T. revealed that varied entities within the nation had been focused by spear-phishing assaults that exploited an outdated Microsoft Workplace Equation Editor flaw (CVE-2017-11882) to drop a Visible Primary Script (VBS) payload liable for downloading an unknown next-stage VBS malware.

See also  White Home urges devs to modify to memory-safe programming languages

Kaspersky’s newest report reveals that these elements are a part of what it calls VBShower, which is then used to obtain and set up PowerShower in addition to VBCloud.

The place to begin of the assault chain is a phishing e mail that comprises a booby-trapped Microsoft Workplace doc that, when opened, downloads a malicious template formatted as an RTF file from a distant server. It then abuses CVE-2018-0802, one other flaw within the Equation Editor, to fetch and run an HTML Utility (HTA) file hosted on the identical server.

“The exploit downloads the HTA file by way of the RTF template and runs it,” Kupreev mentioned. “It leverages the alternate information streams (NTFS ADS) characteristic to extract and create a number of recordsdata at %APPDATApercentRoamingMicrosoftWindows. These recordsdata make up the VBShower backdoor.”

This features a launcher, which acts as a loader by extracting and operating the backdoor module in reminiscence. The opposite VB Script is a cleaner that cares about erasing the contents of all recordsdata contained in the “LocalMicrosoftWindowsTemporary Web FilesContent.Phrase” folder, along with these inside itself and the launcher, thereby overlaying up proof of the malicious exercise.

The VBShower backdoor is designed to retrieve extra VBS payloads from the command-and-control (C2) server that comes with capabilities to reboot the system; collect details about recordsdata in varied folders, names of operating processes, and scheduler duties; and set up PowerShower and VBCloud.

See also  Test Level Warns of Zero-Day Attacks on its VPN Gateway Merchandise

PowerShower is analogous to VBShower in performance, the chief distinction being that it downloads and executes next-stage PowerShell scripts from the C2 server. It is also outfitted to function a downloader for ZIP archive recordsdata.

As many as seven PowerShell payloads have been noticed by Kaspersky. Every of them carries out a definite process as follows –

  • Get an inventory of native teams and their members on distant computer systems by way of Energetic Listing Service Interfaces (ADSI)
  • Conduct dictionary assaults on person accounts
  • Unpack ZIP archive downloaded by PowerShower and execute a PowerShell script contained inside it as a way to perform a Kerberoasting assault, which is a post-exploitation method for acquiring credentials for Energetic Listing accounts
  • Get an inventory of administrator teams
  • Get an inventory of area controllers
  • Get details about recordsdata contained in the ProgramData folder
  • Get the account coverage and password coverage settings on the native laptop
Cybersecurity

VBCloud additionally capabilities loads like VBShower, however makes use of public cloud storage service for C2 communications. It will get triggered by a scheduled process each time a sufferer person logs into the system.

See also  Propelling SecOps into the long run

The malware is provided to reap details about disks (drive letter, drive kind, media kind, dimension, and free area), system metadata, recordsdata and paperwork matching extensions DOC, DOCX, XLS, XLSX, PDF, TXT, RTF, and RAR, and recordsdata associated to the Telegram messaging app.

“PowerShower probes the native community and facilitates additional infiltration, whereas VBCloud collects details about the system and steals recordsdata,” Kupreev mentioned. “The an infection chain consists of a number of phases and finally goals to steal information from victims’ units.”

- Advertisment -spot_img
RELATED ARTICLES

LEAVE A REPLY

Please enter your comment!
Please enter your name here

- Advertisment -

Most Popular