Introduction of VBCloud Malware
The cyber threat group known as Cloud Atlas has recently been traced using a new type of malware referred to as VBCloud, targeting numerous users throughout 2024.
Attack Vector and Victims
According to Kaspersky researcher Oleg Kupreev, victims are compromised through phishing emails containing harmful documents that exploit a known vulnerability in the formula editor (CVE-2018-0802), which downloads and executes the malware.
Notably, over 80% of the affected individuals are located in Russia, with additional cases reported in Belarus, Canada, Moldova, Israel, Kyrgyzstan, Turkey, and Vietnam.
Background on Cloud Atlas
Also known as Clean Ursa, Inception, Oxygen, and Red October, Cloud Atlas has remained active since 2014. In December 2022, the group was connected to attacks targeting Russia, Belarus, and Transnistria, using a PowerShell backdoor dubbed PowerShower.
Exploiting Vulnerabilities
A year later, Russian cybersecurity firm F.A.C.C.T. disclosed that various organizations in the country faced spear-phishing attacks exploiting an older Microsoft Office flaw (CVE-2017-11882) to introduce a Visual Basic Script (VBS) payload that downloads additional unknown VBS malware.
Kaspersky’s findings reveal that these components form a system named VBShower, which is responsible for loading both PowerShower and VBCloud.
Details of the Attack Chain
The attack commences with a phishing email containing a malicious Microsoft Office document that, upon being opened, attempts to fetch a harmful RTF template from a remote server. This document leverages CVE-2018-0802 to download a malicious HTML Application (HTA) file.
Once downloaded, the HTA file executes and employs the NTFS alternate data streams (ADS) feature to generate various files in the %APPDATA%\Roaming\Microsoft\Windows\ directory, forming the VBShower backdoor components.
Functionality of VBCloud and PowerShower
The VBShower backdoor is capable of retrieving additional VBS payloads from a command-and-control (C2) server, offering functionality to reboot the system, gather information, and install both PowerShower and VBCloud.
While PowerShower serves a similar function, it specifically downloads and executes PowerShell scripts from the C2 server, and it can also download ZIP files.
Capabilities and Data Exfiltration
VBCloud operates similarly to VBShower by using public cloud storage for C2 communication, triggered by scheduled tasks whenever a user logins into their system. It collects extensive system information, including storage details and specific file types related to documents.
As noted by Kupreev, the infection chain comprises multiple stages aiming to collect sensitive data and infiltrate further into networks, with VBCloud focusing on information collection and file theft.
