Cloud Atlas APT Uses Polymorphic Components to Avoid IOCs-based Detection

Delaware, USA – August 14, 2019 – Active since 2012, cyber espionage group Cloud Atlas has added new malware to its arsenal and expanded its area of ​​activity. Adversaries do not change their Tactics, Techniques, and Procedures since they already allow them to successfully conduct cyber-espionage operations. Since the beginning of the year, the APT group conducted a series of spear-phishing attacks targeted at government entities in Central Asia, Russia, Ukraine, Turkey, and Romania. Cloud Atlas APT leverages phishing emails with MS Office document attached, which uses malicious remote templates hosted on remote servers to drop the malware. As previously, the main tool of the group is PowerShower backdoor which gets and executes PowerShell and VBS modules to steal sensitive data or download other next-stage malware. Now the attackers have switched from direct delivery of their primary tools via weaponized document to more complex infection chain and using polymorphic components. Malicious template downloads and executes a polymorphic HTA which drops three files: VBShower backdoor and his launcher, and a file with contextual data. VBShower deletes traces of infection process and sends contextual data to the C&C server, after which it tries to download and execute a VBA script from the attacker’s server. Researchers at Kaspersky Lab uncovered the delivery and launch of the PowerShower installer and installer of another modular backdoor used by Cloud Atlas group.

Using polymorphic malware helps the group to avoid detection by IOCs-based security solutions. At the same time, the use of proven TTPs guarantees effective operations in Eastern Europe and Central Asia, even using the 5-years-old backdoor. You can detect suspicious activity on Windows hosts using your SIEM and Sysmon Framework rule pack: