cyber securityThe industry has been alerted to a recent series of spear phishing attacks by the notorious cyber espionage organization Cloud Atlas, targeting Russian agribusiness and state-owned research institutions. The news comes from a report by independent cybersecurity firm F.A.C.C.T., which was formed earlier this year after the former Group-IB team split.
The Cloud Atlas organization has been active since at least 2014 and its true identity remains unknown, having used several aliases, including Clean Ursa, Inception, Oxygen and Red October. The organization is notorious for its long history of cyber-espionage activities against countries such as Russia, Belarus, Azerbaijan, Turkey and Slovenia.
In December 2022, Check Point and Positive Technologies, two security firms, uncovered a sophisticated attack methodology by the Cloud Atlas organization that involved the deployment of a PowerShell-based backdoor program called PowerShower, as well as a DLL malware component that was able to communicate with an attacker-controlled server.
Cunning tactic: using old vulnerabilities to lure downloads of malicious files
The attack began with a seemingly generic bait email containing a malicious document that exploited the CVE-2017-11882 vulnerability. The vulnerability is a six-year-long memory corruption flaw in the Microsoft Office formula editor, which the Cloud Graphics organization began exploiting back in October 2018 to execute malicious programs.
In an August 2019 report, Kaspersky stated, "The massive spear phishing attack campaigns of the Cloud Atlas organization continue to use this simple, yet highly effective method to steal information from their targets. Unlike other attack groups, instead of using open-source implants, the Cloud Atlas Organization's recent attack campaigns use custom malware for increased stealth."
The F.A.C.C.T. report notes that the latest attack is similar to the one previously uncovered by Positive Technologies, which also utilizes the CVE-2017-11882 vulnerability to inject malicious RTF templates, which in turn download and run obfuscated HTA files. Notably, these attack emails typically come from popular Russian email services Yandex Mail and VK's Mail.ru.
The malicious HTML application then launches a Visual Basic Script (VBS) file and eventually downloads and executes unknown VBS code from a remote server, completing the attack process.
"The Cloud Mapping organization is very sophisticated and they orchestrate every aspect of their attacks," Positive Technologies said of the group in a report last year. "The organization's attack tools haven't changed much over the years, and they evade detection by making one-time payload requests and authenticating them, as well as leveraging legitimate cloud storage and the capabilities of Microsoft Office."
Be wary of Decoy Dog: another malware targeting Russia
In addition to the Cloud Mapping organization's attack, the F.A.C.C.T. reported another malware called Decoy Dog, a variant of Pupy RAT, for which at least 20 Russian organizations were attacked.The F.A.C.C.T. attributed it to another advanced persistent threat group called Hellhounds.
The malware not only allows attackers to remotely control infected hosts, but also comes with a script designed to transmit telemetry data to a Mastodon account named "Lamir Hasabat" (@lahat).
Security researchers Stanislav Pyzhov and Aleksandr Grigorian said, "After the disclosure of information about the first version of Decoy Dog, malware authors have taken several steps to dramatically increase the difficulty of its detection in traffic and file systems."
Security Alert: Be Wary of Harpoon Attacks, Keep Software Vulnerabilities Up to Date
This incident once again reminds users and businesses to beware of the dangers of spear phishing attacks. Timely updating software to fix security vulnerabilities, installing reliable security software, staying alert and being cautious of suspicious emails are important measures to defend against such attacks.
Original article by SnowFlake, if reproduced, please credit https://cncso.com/en/cloud-atlas-spear-phishing-attacks-hit-russian-firms.html
