Cloud Atlas' Attacks Russian Aligned Entities

Category: Threat Actor Activity | Industries: Industrial, Government, Religion, Research, Telecommunication, Transportation | Level: Tactical | Source: Checkpoint

Checkpoint researchers observing the cyber-espionage group, Cloud Atlas discovered the group has a focus against Russia and Belarus entities since the Russia and Ukraine war began in February 2022. A review of the group's activities reveals they've been able to gain "full access" into various organizations. The tactics, techniques, and procedures (TTPs) observed from Cloud Atlas have remained consistent since their emergence in 2014, described as static and simple approaches. During the initial infection stage, the operators distribute phishing emails containing a malicious document to retrieve a remote template. Their weaponized documents have also exploited the popular Microsoft Equation Editor vulnerabilities, CVE-2017-11882 and CVE-2018-0802.

PowerShower, a PowerShell backdoor, is being used to follows after the weaponized document, when executed it downloads a malicious archive file to run instructions given by the attacker's command and control (C2). Additional payloads dropped by PowerShower are other PowerShell scripts, proxy tools, and a modular backdoor. "Interestingly, the actors made no significant changes in the core of their modular backdoor in the seven years after its discovery in 2014 by Kaspersky and Symantec." TTPs utilized by Cloud Atlas during the post-exploitation stage has involved the collection of ntdsutil for credential theft and lateral movement with RDP. In terms of Cloud Atlas' victimology, the group has targeted a large number of industry verticals, however recently as observed by Checkpoint "toward the end of 2021, amid the rising tensions between Russia and Ukraine, the focus of the group shifted to the Crimean Peninsula and breakaway regions of Ukraine, Luhansk and Donetsk, as well as government, diplomatic, research and industry entities of Russia and Belarus."

‍Anvilogic Scenario:

• Malicious File Delivering Malware

Anvilogic Use Cases:

• Abuse EQNEDT32.EXE
• NTDSUtil.exe execution
• RDP Connection

‍