Cyber-espionage group Cloud Atlas has added polymorphic malware to its arsenal to keep away from having its operations detected and monitored with the assistance of beforehand collected indicators of compromise (IOCs).
The hacking group often known as Inception [1, 2] was initially recognized in 2014 by Kaspersky’s International Analysis and Evaluation Group researchers, and it has a historical past of concentrating on authorities businesses and entities from a variety of industries through spear-phishing campaigns.
Whereas the malware and Ways, Strategies, and Procedures (TTP) Cloud Atlas makes use of throughout its operations has remained unchanged since no less than 2018, the APT group has now added new polymorphic HTML Utility malware dropper within the type of a malicious HTA and a backdoor dubbed VBShower.
The brand new an infection chain Cloud Atlas employs to contaminate its targets has been noticed by Kaspersky’s analysis workforce on compromised machines owned by organizations from in Central Asia, Japanese Europe, and Russia, beginning with April 2019.
After efficiently infiltrating a goal’s programs, the risk actors will make use of their malware’s doc stealer, password grabbing, and data gathering modules to gather and exfiltrate data which will get despatched to command and management (C2) servers they management.
Not like earlier campaigns operated by the risk group which began by dropping its PowerShower PowerShell-based validator implant following the exploitation of the CVE-2017-11882 and CVE-2018-0802 flaws in Microsoft Workplace, new assaults noticed by Kaspersky begin by downloading and launching the polymorphic HTA.
“The newly up to date chain of an infection postpones the execution of PowerShower till a later stage. As a substitute, after the preliminary an infection, a malicious HTML app is now downloaded and executed on the goal machine,” says the report.
“This software will then accumulate preliminary details about the attacked pc and obtain and execute VBShower, one other malicious module.”
The VBShower backdoor which additionally replaces PowerShower as a validator module is then used to obtain and execute a PowerShower installer or one other beforehand detected and analyzed Cloud Atlas second stage backdoor installer.
Proper earlier than the second stage installers are dropped on the compromised programs following instructions delivered by its masters, VBShower will even ensure that all proof of the malware is erased.
“Whereas this new an infection chain is extra difficult than the earlier mannequin, its fundamental differentiator is malicious HTML software and the VBShower module are polymorphic,” add the researchers.
This makes it attainable for the hacking group to at all times infect their targets utilizing modules that may seem as distinctive and new, thus making it rather a lot more durable if not inconceivable for his or her malicious implants to be detected with the assistance of beforehand discovered IOCs.
“[..] IoC have change into out of date as a dependable device to identify a focused assault in your community. This primary emerged with ProjectSauron, which might create a singular set of IoC for every of its victims and continued with the pattern of utilizing open supply instruments in espionage operations as a substitute of distinctive ones,” says GReAT reseacher Felix Aime.
“Now that is persevering with with this latest instance of polymorphic malware. This doesn’t imply that actors have gotten more durable to catch, however that safety expertise and the defenders toolkit must evolve together with the toolkit and expertise of the malicious actors they’re monitoring.”
Kaspersky’s analysis workforce offers a full record of indicators of compromised (IOCs) for the present marketing campaign, together with C2 IP addresses, VBShower paths and registry keys, in addition to a few of the attacker e-mails detected in the course of the latest assaults.