Ptechhub
  • News
  • Industries
    • Enterprise IT
    • AI & ML
    • Cybersecurity
    • Finance
    • Telco
  • Brand Hub
    • Lifesight
  • Blogs
No Result
View All Result
  • News
  • Industries
    • Enterprise IT
    • AI & ML
    • Cybersecurity
    • Finance
    • Telco
  • Brand Hub
    • Lifesight
  • Blogs
No Result
View All Result
PtechHub
No Result
View All Result

Cloud Atlas Deploys VBCloud Malware: Over 80% of Targets Found in Russia

The Hacker News by The Hacker News
December 27, 2024
Home Cybersecurity
Share on FacebookShare on Twitter


Dec 27, 2024Ravie LakshmananCyber Attack / Data Theft

The threat actor known as Cloud Atlas has been observed using a previously undocumented malware called VBCloud as part of its cyber attack campaigns targeting “several dozen users” in 2024.

“Victims get infected via phishing emails containing a malicious document that exploits a vulnerability in the formula editor (CVE-2018-0802) to download and execute malware code,” Kaspersky researcher Oleg Kupreev said in an analysis published this week.

More than 80% of the targets were located in Russia. A lesser number of victims have been reported from Belarus, Canada, Moldova, Israel, Kyrgyzstan, Turkey, and Vietnam.

Also referred to as Clean Ursa, Inception, Oxygen, and Red October, Cloud Atlas is an unattributed threat activity cluster that has been active since 2014. In December 2022, the group was linked to cyber attacks aimed at Russia, Belarus, and Transnistria that deployed a PowerShell-based backdoor called PowerShower.

Cybersecurity

Then exactly a year later, Russian cybersecurity company F.A.C.C.T. revealed that various entities in the country were targeted by spear-phishing attacks that exploited an old Microsoft Office Equation Editor flaw (CVE-2017-11882) to drop a Visual Basic Script (VBS) payload responsible for downloading an unknown next-stage VBS malware.

Kaspersky’s latest report reveals that these components are part of what it calls VBShower, which is then used to download and install PowerShower as well as VBCloud.

The starting point of the attack chain is a phishing email that contains a booby-trapped Microsoft Office document that, when opened, downloads a malicious template formatted as an RTF file from a remote server. It then abuses CVE-2018-0802, another flaw in the Equation Editor, to fetch and run an HTML Application (HTA) file hosted on the same server.

“The exploit downloads the HTA file via the RTF template and runs it,” Kupreev said. “It leverages the alternate data streams (NTFS ADS) feature to extract and create several files at %APPDATA%RoamingMicrosoftWindows. These files make up the VBShower backdoor.”

This includes a launcher, which acts as a loader by extracting and running the backdoor module in memory. The other VB Script is a cleaner that cares about erasing the contents of all files inside the “LocalMicrosoftWindowsTemporary Internet FilesContent.Word” folder, in addition to those within itself and the launcher, thereby covering up evidence of the malicious activity.

The VBShower backdoor is designed to retrieve more VBS payloads from the command-and-control (C2) server that comes with capabilities to reboot the system; gather information about files in various folders, names of running processes, and scheduler tasks; and install PowerShower and VBCloud.

PowerShower is analogous to VBShower in functionality, the chief difference being that it downloads and executes next-stage PowerShell scripts from the C2 server. It’s also equipped to serve as a downloader for ZIP archive files.

As many as seven PowerShell payloads have been observed by Kaspersky. Each of them carries out a distinct task as follows –

  • Get a list of local groups and their members on remote computers via Active Directory Service Interfaces (ADSI)
  • Conduct dictionary attacks on user accounts
  • Unpack ZIP archive downloaded by PowerShower and execute a PowerShell script contained within it in order to carry out a Kerberoasting attack, which is a post-exploitation technique for obtaining credentials for Active Directory accounts
  • Get a list of administrator groups
  • Get a list of domain controllers
  • Get information about files inside the ProgramData folder
  • Get the account policy and password policy settings on the local computer
Cybersecurity

VBCloud also functions a lot like VBShower, but utilizes public cloud storage service for C2 communications. It gets triggered by a scheduled task every time a victim user logs into the system.

The malware is equipped to harvest information about disks (drive letter, drive type, media type, size, and free space), system metadata, files and documents matching extensions DOC, DOCX, XLS, XLSX, PDF, TXT, RTF, and RAR, and files related to the Telegram messaging app.

“PowerShower probes the local network and facilitates further infiltration, while VBCloud collects information about the system and steals files,” Kupreev said. “The infection chain consists of several stages and ultimately aims to steal data from victims’ devices.”

Found this article interesting? Follow us on Twitter  and LinkedIn to read more exclusive content we post.





Source link

Tags: computer securitycyber attackscyber newscyber security newscyber security news todaycyber security updatescyber updatesdata breachhacker newshacking newshow to hackinformation securitynetwork securityransomware malwaresoftware vulnerabilitythe hacker news
The Hacker News

The Hacker News

Next Post
Revisiting the 3 Biggest Hardware Flops of 2024

Revisiting the 3 Biggest Hardware Flops of 2024

Recommended.

As stocks and bonds fall, and oil hits 0, a futures trade that boomed in 2022 may again be a winner

As stocks and bonds fall, and oil hits $100, a futures trade that boomed in 2022 may again be a winner

March 28, 2026
Low Data Trust Limits the Value of Analytics and AI Investments, Says Info-Tech Research Group

Low Data Trust Limits the Value of Analytics and AI Investments, Says Info-Tech Research Group

March 12, 2026

Trending.

Cloud Market Share Q1 2026: AWS, Microsoft, Google Battling In AI Era

Cloud Market Share Q1 2026: AWS, Microsoft, Google Battling In AI Era

May 4, 2026
AWS Vs. Google Cloud Vs. Microsoft Azure Q1 Earnings Face-Off

AWS Vs. Google Cloud Vs. Microsoft Azure Q1 Earnings Face-Off

May 1, 2026
Anaconda Extends AI-Native Application Development With Acquisition

Anaconda Extends AI-Native Application Development With Acquisition

May 1, 2026
AWS Solution Provider Caylent Unveils Dedicated Anthropic Claude Unit

AWS Solution Provider Caylent Unveils Dedicated Anthropic Claude Unit

April 30, 2026
Google’s 0 Million Partner Fund Targets AI Agent Era Channel Paradigm Shift

Google’s $750 Million Partner Fund Targets AI Agent Era Channel Paradigm Shift

April 24, 2026

PTechHub

A tech news platform delivering fresh perspectives, critical insights, and in-depth reporting — beyond the buzz. We cover innovation, policy, and digital culture with clarity, independence, and a sharp editorial edge.

Follow Us

Industries

  • AI & ML
  • Cybersecurity
  • Enterprise IT
  • Finance
  • Telco

Navigation

  • About
  • Advertise
  • Privacy & Policy
  • Contact

Subscribe to Our Newsletter

  • About
  • Advertise
  • Privacy & Policy
  • Contact

Copyright © 2025 | Powered By Porpholio

No Result
View All Result
  • News
  • Industries
    • Enterprise IT
    • AI & ML
    • Cybersecurity
    • Finance
    • Telco
  • Brand Hub
    • Lifesight
  • Blogs

Copyright © 2025 | Powered By Porpholio