Cloud Atlas Launches New Attacks on Russian Companies
Cybersecurity experts at FACCT have detected new attacks by the espionage group Cloud Atlas, targeting a Russian agricultural enterprise and a state research company. The APT group Cloud Atlas specializes in cyber espionage and the theft of confidential information. According to Kaspersky Lab, the group has been active since at least 2014. Cloud Atlas most frequently targets industrial enterprises and state-owned companies in Russia, Belarus, Azerbaijan, Turkey, and Slovenia. The hackers primarily use targeted email campaigns with malicious attachments as their main attack vector.
Attack Methods and Recent Campaigns
FACCT researchers report that, in the latest campaign, attackers used email addresses registered through popular services—[email protected] and [email protected]—and focused on two current topics: support for participants in the Special Military Operation (SMO) and military registration.
In the first email, the attackers, posing as representatives of the “Moscow City Organization of the All-Russian Trade Union of State Institution Workers,” suggested organizing a collection of postcards and greetings for SMO participants and their families. The contact information provided in the email was real and publicly available.
In another email campaign, the hackers impersonated the “Association of Training Centers” and used the timely topic of legislative changes regarding military registration and the reservation of citizens in the reserve.
Technical Details of the Attack
The overall attack scheme is similar to what Positive Technologies specialists previously described in their report, except for the use of alternative data streams.
If a user opens the lure document attached to the email, a remote template is downloaded. The template, accessed via a link, is an RTF file containing an exploit for the CVE-2017-11882 vulnerability. Exploiting this bug triggers the execution of shellcode designed to download an HTA file from a link and run it. Subsequently, several VBS scripts are created on the system, and the next stage of the attack also involves VBS code. However, at the time of the investigation, the file for the next attack stage was already unavailable.