Introduction
Specialists at the PT Expert Security Center have been monitoring the Cloud Atlas group since May 2019. According to our data, its attacks have been targeting the government sector of the following countries:
- Russia
- Belarus
- Azerbaijan
- Turkey
- Slovenia
The goals of the group are espionage and theft of confidential information.
The group typically uses phishing emails with malicious attachments as the initial vector for their attacks.
In the third quarter of 2022, during our investigation we identified a phishing campaign targeting employees of Russian government agencies. The attackers used targeted mailing based on the professional field of the recipients, even though we found no publicly available information about them.
We first knew about the attackers back in 2014, when Kaspersky researchers published a report. Since then, their tools have not changed much (you can find more about them in the "Malware analysis" section). However, there has not yet been a detailed analysis and description of the functionality of these tools.
In this report, we'll discuss the main techniques of the Cloud Atlas group, and take an in-depth look at the tools they use.
Analysis of the documents found
As in previous years, the group begins its attack by sending phishing emails, using current geopolitical issues that are directly related to the target country as a bait text. An example of an email with malicious content that was sent as part of the campaign in 2022 is shown in Figure 1. Pay special attention to the sender's address: the attackers disguised themselves as the news portal Lenta.ru, well-known in Russia and the CIS. However, email addresses with such a domain can be created with Rambler (Figure 2).
An examination of the document and its contents revealed that a vulnerability in Equation Editor was used to launch the exploit payload. The shellcode (highlighted in red in Figure 12) is located inside one of the document's objects and is executed in the context of the EQNEDT32.EXE process.
The direct link to the HTA file (through which the loading is performed) is stored in the body of the shellcode (Figure 14) and is additionally XOR-encrypted with the one-byte value of 0x12.
As seen in Figure 11, the HTA file is designed to create on the disk the VBS scripts with the payload for subsequent stages, as well as an LNK file with the main payload containing the code for loading binary modules. Thus, the main task of the VBS macros (in our case, both macros had similar names: unbroken.vbs and unbroken.vbs.vbs) is to deobfuscate the contents of the LNK file (shown in Figure 15) and transfer control to it, after which the payload which was downloaded by the LNK file code is launched (we will discuss this in the "Malware analysis" section).
It is also worth noting that malicious documents which exploit the same vulnerabilities in Equation Editor and contain identical object names (for example, "weaseoijsd",highlighted in red in Figure 16) in RTF documents were analyzed by Cisco Talos Intelligence specialists and attributed to the Bitter APT group.
The second chain that we found is downloading malicious PowerShell scripts via remote templates (Figure 17), which in turn download malicious components (mostly Base64-encoded).
We also encountered cases of an intermediate .NET loader that downloaded a payload from a remote server and transferred control to it.
This .NET loader is decoded from Base64 and launched by a PowerShell script (Figure 18).
The export (Figure 19), activated from the loader, takes all the necessary parameters for network communication, including the connection encryption key (highlighted in yellow in Figure 18).
The communication is encrypted with a simple XOR operation with the transferred key (Figure 20).
We also noted that almost all of the functions that decrypt the loader contain a large amount of polymorphic code. This performs various operations with strings located inside the image, stack strings, as well as with their individual elements (Figure 22 shows an example). However, these operations do not have any effect on the decrypted data itself. They are used to calculate various variables and constants that affect the decryption parameters (data size, offsets, and so on), as well as to complicate the analysis process. The decrypted data is copied to a pre-allocated memory area as a valid PE image, after which control is transferred to it.
Main loader
The loader, in turn, is responsible for reading the data from the file containing the main payload, as well as for its decryption and unpacking.
First, the loader decrypts the configuration located in its body. The decryption algorithm (Figure 23) is single-byte XOR with an embedded key. After decryption, the configuration is validated.
We noted that the configuration has not changed since previous studies—it contains the same data and parameters (Figure 23).
Analyzing this function allowed us to understand that in this case the communication scheme is identical to the one described above: data is transferred by function calls from the table of virtual methods of the same COM object (in this case, PUT is used as the communication method).
Other than this, the analysis of the loaded module reveals nothing of interest. It simply performs a recursive search in the directories of certain paths.
It's worth noting that for each type of disk connected to the computer, a different type of search is used (Figure 36). It is also possible to steal files from remote servers—in this case, usernames and passwords (stored in the malware configuration) are transferred as parameters.
Let's also have a look at the function responsible for analyzing the contents of the scanned directories (Figure 37). It's worth noting that the function itself does not read the file directly. Instead, the pointer to the read function (pfnReadFile in the figure) is transferred through the global context—the structure that is initialized at the initial stage of the application—and the function is called this way.
Network infrastructure
All the domains that we discovered in the 2019–2021 attacks were registered through the anonymous registrar bitdomain[.]biz. This resource guarantees complete anonymity and payment on the service is made exclusively in bitcoins.
After analyzing the SOA records of the domains, we found that the admin email address field contains perfectly normal email addresses. In some cases, they turned out to be the registrant addresses that we found in WHOIS. Therefore, in those domains where WHOIS was hidden by the privacy settings, it can be assumed that the email in the SOA is the email of the registrant.
Domain | |
mynewtemplate.com | |
new-template.com | |
upgrade-office.com | |
upgrade-office.org | |
msofficeupdate.org | |
officeupgrade.org | |
newoffice-template.com | |
template-new.com |
When analyzing the 2022 campaign, we found a pattern: all the control servers registered by the attackers are used only to load remote templates.
List of the detected servers:
- checklicensekey.com
- comparelicense.com
- driver-updated.com
- sync-firewall.com
- system-logs.com
- technology-requests.net
- translate-news.net
We also discovered an interesting fact: the attackers disguised one of the control servers (technology-requests.net), trying to make it look like the site https://www.hoosierheightsindianapolis.com (Figure 38).
Figure 39 shows what the malicious site looked like on July 26, according to webcache.googleusercontent.com.
The malicious tools communicate through a cloud service (similar to previous years), namely OpenDrive (https://www.opendrive.com). The service is used for both storing the malware modules to be loaded and for loading the collected data. In this case, a temporary mailbox is used for logins.
Conclusion
The Cloud Atlas group has been active for many years, carefully thinking through every aspect of their attacks. The group's toolkit has not changed for years—they try to hide their malware from researchers by using one-time payload requests and validating them. The group avoids network and file attack detection tools by using legitimate cloud storage and well-documented software features, in particular in Microsoft Office.
The attackers also carefully choose their victims and target their attacks: the group used targeted mailings based on the professional field of the recipients, but we noted the absence of any publicly available information about the recipients, which could indicate a well-prepared attack.
We predict that the group will continue to operate, increasing the complexity of its tools and attack techniques due to the fact that it has once again attracted the attention of researchers.
Authors: Denis Kuvshinov, Aleksandr Grigorian, Daniil Koloskov, Positive Technologies
The article's authors thank the incident response and threat intelligence teams PT Expert Security Center for their help in drafting the story.
Detection of CloudAtlas group activity by Positive Technologies products
MP SIEM
The following correlation rules analyze triggered processes and help identify the described activity:
- Suspicious_Connection
- Malicious_Office_Document
- Windows_Autorun_Modification
The following correlation rules analyze the triggered scripts and help detect the described activity:
- Execute_Malicious_Powershell_Cmdlet
- Execute_Malicious_Command
Implementation of D3FEND techniques in MP SIEM, which will help in detecting CloudAtlas grouping activity
D3FEND ID | Name of technique D3FEND | Description |
D3-PA | Process Analysis | CloudAtlas group activity can be identified through the rules of process analysis. |
D3-SEA | Script Execution Analysis | CloudAtlas group activity can be detected through the analysis rules of the launched scripts. |
PT NAD
PT NAD contains a CloudAtlas reputation list, which will help in identifying CloudAtlas grouping activity.
Implementation of D3FEND techniques in PT NAD, which will help in detecting CloudAtlas activity.
D3FEND ID | Name of technique D3FEND | Description |
D3-DNSTA | DNS Traffic Analysis | Using reputation lists to detect Cloud Atlas group activity |
D3-FC | File Carving | Extracting from traffic the files downloaded by the Cloud Atlas group |
PT Sandbox
PT Sandbox verdicts on CloudAtlas grouping activity:
- Trojan.Win32.Generic.a
- Trojan.Win32.RegLOLBins.a
- Backdoor.Win32.CloudAtlas.a
- Trojan-Downloader.Win32.Generic.a
Network traffic analysis rules to help detect CloudAtlas grouping activity:
- LOADER [PTsecurity] Possible CloudAtlas
- SUSPICIOUS [PTsecurity] PROPFIND method in http request
- SUSPICIOUS [PTsecurity] MKCOL method in http request
Yara-rules, which will help in detecting CloudAtlas grouping activity:
- PTESC_tool_win_ZZ_OfficeTemplate__Downloader__DOC
- PTESC_exploit_win_ZZ_MalDoc__CVE201711882__Rtf__CA
Implementation of D3FEND techniques in PT Sandbox, which will help in detecting CloudAtlas grouping activity
D3FEND ID | Name of technique D3FEND | Description |
D3-PA | Process Analysis | Analysis of the behavior of processes created by malicious applications of the Cloud Atlas group |
D3-FA | File Analysis | Analysis of Cloud Atlas group files to determine their status and functionality |
D3-NTA | Network Traffic Analysis | CloudAtlas activity can be detected through traffic analysis |
Yara
rule PTESC_tool_win_ZZ_OfficeTemplate__Downloader__DOC { strings: $a = {00 A5 06 6E 04 B4} $b = {FF FF FF 7F FF FF FF 7F} $c = {B4 00 B4 00 81 81 12 30 00} $pref_1 = {68 00 74 00 74 00 70 00 3A 00 2F 00 2F} $pref_2 = {68 00 74 00 74 00 70 00 73 00 3A 00 2F 00 2F} condition: uint16be ( 0 ) == 0xd0cf and ( for any i in ( 300 .. 400 ) : ( uint8be ( @a + i ) == 0x68 and uint8be ( @a + i + 2 ) == 0x74 and uint8be ( @a + i + 4 ) == 0x74 and uint8be ( @a + i + 6 ) == 0x70 ) or for any j in ( 100 .. 200 ) : ( uint8be ( @b + j ) == 0x68 and uint8be ( @b + j + 2 ) == 0x74 and uint8be ( @b + j + 4 ) == 0x74 and uint8be ( @b + j + 6 ) == 0x70 ) or for any k in ( 200 .. 400 ) : ( uint8be ( @c + k ) == 0x68 and uint8be ( @c + k + 2 ) == 0x74 and uint8be ( @c + k + 4 ) == 0x74 and uint8be ( @c + k + 6 ) == 0x70 ) ) and ( ( for any l in ( 14 .. 70 ) : ( uint8be ( @pref_1 + l ) == 0x2f ) ) or ( for any y in ( 16 .. 70 ) : ( uint8be ( @pref_2 + y ) == 0x2f ) ) ) }rule PTESC_exploit_win_ZZ_MalDoc__CVE201711882__Rtf__CA { strings: $equation = "4571756174696F6E" nocase ascii //180000004571756174696F6E $msftedit = "generator Msftedit 6.39.15" nocase ascii //generator Msftedit 6.39.15.1401 $objclass = "objclass weaseoijsd" nocase ascii condition: uint32be ( 0 ) == 0x7B5C7274 and ($equation and ($msftedit or $objclass) or (for any i in (50..350) : (uint8be (@equation + i) == 0x64 and uint8be (@equation + i + 2) == 0x64 and uint8be (@equation + i + 4) == 0x64 and uint8be (@equation + i + 6) == 0x38))) }IOCs
File indicators
Name | SHA-256 | MD5 | SHA-1 |
Методические рекомендации для грузоотправителей-грузополучателей (2022).doc (Guidelines for consignors-consignees (2022).doc) | f2c4281e4d6c11173493b759adfb0eb798ce46650076e7633cf086b6d59fdb98 | b3f55d9065dd51a8be2d6c5078866086 | 9f4a18adaa094eef06ef88e76b6f4ed777f677e7 |
Будьте_бдительны_Корпоративное_уведомление.doc (Stay_alert_Corporate_Notice.doc) | 482aeb3db436e8d531b2746a513fe9a96407cf4458405680a49605e136858ec5 | 3399deafaa6b91e8c19d767935ae0908 | b745032dd5cd6f7eba2187fa3c86c775953a5611 |
Иранские оценки визита В. Путина в Тегеран.doc (Iranian assessments of V. Putin's visit to Tehran.doc) | 2f97374c76ae10c642a57a8b13d25cbdc070c9098c951ea418d1533ac01dc23c | 61b6e2040d5815d0135b2850137828d9 | df80df54f94d56aa436cdc2713e3bc8160ce43f8 |
Почему исламский мир не дает Западу изолировать Россию.doc (Why the Islamic world does not allow the West to isolate Russia.doc) | 3cf2bda35e88c59bb89e7fdc8fcfd4c46b2b9186e61325d2924e049d775b741f | 2b5cec8715e92d87bf6992e003a5651c | 9fc804b58ab43fc5f453810a30ea311fc3f5cbe6 |
leptophis[1].doc | c0e154b10d70b99b5616a2eda6bfe188a49f85ed3aa92d48ec9ce709df9d563f | 470c1df23bd825c6e36e1cd5936db912 | ba9fc2f0d9f0fcf726a2cbc426f570bea5f22c96 |
lep[1].hta | a4194555b19ea32680cc23f8f7d42da02b82eba8b64cb5f4630110f4e2c1ddf3 | 66ecc2285e9d172ceb9f0b0ba030c65c | b5cc0a7ff0d8cd151545cbabcaf23c5486acec95 |
unbroken.vbs | 59066dc428cde7cc55f3c24c2658d3e288f3f072811d86243a85af14bd482744 | 7ce01fc92fc221cad338cea1cfd43a22 | 9579b7f3a98657f704575aa4a08ed6ff3d8680a4 |
unbroken.vbs.vbs | 4cb6e224b6b03a2f6ac1ac23e6bf097067018b90493ee94f210f66fbbbbdce77 | 1aa04f847bd7ec987986ec6e52966b89 | 8e23ac686bbc958dd85e46a2d4bb6acaee5aa35f |
list.ps1 | 2233c0d4030cc728c2219b1e9c4c05cb262e2ddc7f4ac2f2924767396418c25a | d5a40e2986efd4a182bf564084533763 | 89364b9d170ab90d25d30649582679c3d7332b91 |
office.ps1 | 7fcf7c1dad362283d0a27993df4764e2bbb11857842b80f63d63449b9f2f1fa4 | d02ab337bc56214d72b8cabea8bc19b2 | 81e22a16a6617670c394dbd7ee642eba8e419de7 |
office.ps1 | d9fc6504c8970fefc441c77965937c382b029f1278918d1f54d196859e9f6e7c | 077b71298ce31832ae43e834b7e6c080 | ee50f3cd04d0fdf5e931ad85bfd464828116279b |
rtcpsvc.dll | 3e7b066c26ba98d285a41043c739be8767606d9df057ee2f7bcddb7862c00711 | f68e64dacd046289d4222098ee421478 | ce13a1ae0dd5d537320b77ac8e3d94df6448a82a |
lockrail.dll | c5d1de206445f508c1af5f213e46b915b536e4b36ef917c4e826a982dd47c312 | acbbc6fea0dbbe7cba511b450cc2b758 | 94f342f9219cee4f2b91b54809de92d5bb00e93e |
holeincorner | 8215e918ca3a77424dadac1aebc9a44b8f9840cd1389df0399a9fa4eb6329775 | dc3faa6840d1b5fd296d71ee8877254e | 53b767ff4fa5c5adc7041389ffd28bb4abda1434 |
Salzgitters.avi | b8dc70b9ffe06c9ecaf0216ea7948fe718143db10641a23297652693ea026ab3 | e5e19040beabb0c0c68fdf4f3978a18b | e68dc027aee851125960ee0559610f43fee581b0 |
Schultes.wmv | f4e710f515249e8c08ae76284bfb280070e1fd2308e9d9321d92163dfc73be66 | 45f6f95918efbdcc2c97e3d905635f83 | 9a1d8a68042b91ee17648606e43907354227d25f |
Network indicators:
- api-help.com
- driver-updated.com
- sync-firewall.com
- system-logs.com
- technology-requests.net
- translate-news.net
- checklicensekey.com
- comparelicense.com
- msupdatecheck.com
- protocol-list.com
Payload filenames (from the configuration):
- callicrates
- tinh
- amianthium
- mandarinduck
- cushioning
- kingsclover
Email addresses from which malicious emails were sent:
MITRE TTPs
ID | Name | Description |
Resource Development | ||
T1583 | Acquire Infrastructure | The Cloud Atlas group used servers to store remote templates, as well as cloud storage as a control server |
T1585 | Establish Accounts | The Cloud Atlas group registered cloud service accounts and tempmail mailboxes |
Initial Access | ||
T1566.001 | Phishing: Spearphishing Attachment | The Cloud Atlas group sent phishing emails with malicious content |
Execution | ||
T1204.002 | User Execution: Malicious File | The Cloud Atlas group sent emails with malicious DOC and DOCX files |
T1559.001 | Inter-Process Communication: Component Object Model | The Cloud Atlas group used COM components in their tools |
T1059.001 | Command and Scripting Interpreter: PowerShell | The Cloud Atlas group used PowerShell scripts to load and run their components |
T1059.005 | Command and Scripting Interpreter: Visual Basic | The Cloud Atlas group used Visual Basic scripts to load and run their components |
T1203 | Exploitation for Client Execution | The Cloud Atlas group used vulnerabilities in Microsoft Office components to launch their malicious components |
Persistence | ||
T1547.001 | Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder | The Cloud Atlas group used registry keys (autorun) for persistence |
Defense Evasion | ||
T1221 | Template Injection | The Cloud Atlas group used a remote template injection technique to hide the malicious payload |
T1140 | Deobfuscate/Decode Files or Information | The Cloud Atlas group encrypts its components to protect them from discovery and analysis |
Collection | ||
T1025 | Data from Removable Media | The Cloud Atlas group used tools to collect information from various remote devices |
T1039 | Data from Network Shared Drive | The Cloud Atlas group used tools to collect information from various network devices |
T1005 | Data from Local System | The Cloud Atlas group used tools to collect information from the file system |
T1560.002 | Archive Collected Data: Archive via Library | The Cloud Atlas group applies LZNT1 compression to collected data using the WinAPI library |
T1560.003 | Archive Collected Data: Archive via Custom Method | The Cloud Atlas group used custom data encryption algorithms |
T1119 | Automated Collection | The Cloud Atlas group used methods of automatic data collection from infected machines |
Command and Control (C2) | ||
T1573.001 | Encrypted Channel: Symmetric Cryptography | The Cloud Atlas group used AES encryption to hide network communication |
T1041 | Exfiltration Over C2 Channel | The Cloud Atlas group used a C2 channel to transfer collected data |
T1102 | Web Service | The Cloud Atlas group used the OpenDrive cloud service as a control server |
General TTP countermeasures used by CloudAtlas
Basic protective measures
D3FEND ID | Name of technique D3FEND | Description |
D3-SYSVA | System Vulnerability Assessment | Since CloudAtlas exploits vulnerabilities, it is necessary to monitor the vulnerability of systems in the infrastructure and update vulnerable software in a timely manner |
D3-SU | Software Update | Since CloudAtlas exploits vulnerabilities, it is necessary to monitor the vulnerability of systems in the infrastructure and update vulnerable software in a timely manner |
D3-OTF | Outbound Traffic Filtering | Restrict network traffic to untrusted servers from IOC lists |
D3-DNSDL | DNS Denylisting | Block resolution of DNS names from IOC lists |
Additional protective measures
D3FEND ID | Name of technique D3FEND | Description |
D3-SRA | Sender Reputation Analysis | CloudAtlas group uses free email services, so as an additional measure of protection against phishing, you can specially mark emails from external free services to attract additional attention of the user |
D3-UDTA | User Data Transfer Analysis | CloudAtlas grouping downloads data through compromised workstations, so you can use profiling of the amount of data transferred to the Internet by the user to detect anomalies in the case of massive data exfiltration |
还没有评论,来说两句吧...