Kaspersky: Cloud Atlas (aka Inception) has updated its attack arsenal with new tools to avoid detection by IOC
Cloud Atlas (aka Inception) has updated its attack arsenal with new tools. It has been detected by Kaspersky cyber security experts, who tracked the APT while targeting the international economics and aerospace industries as well as governmental and religious organizations in Portugal, Romania, Turkey, Ukraine, Russia, Turkmenistan, Afghanistan and Kyrgyzstan among other countries. The new tricks allow malicious hackers to avoid detection through standard Indicators of Compromise (IOC). While this new infection chain is in general much more complicated than the previous model, its main differentiator is the fact that a malicious HTML application and the VBShower module are polymorphic. This means that the code in both modules will be new and unique in each case of infection. This updated version is carried out in order to make the malware invisible to security solutions relying on familiar Indicators of Compromise.
The targets and the aims of the cyber espionage APT
According to the cyber security experts, Cloud Atlas ihas a long history of cyber espionage operations. The APT targets industries, government agencies and other entities. It was first identified in 2014 and has been active ever since. The malicious hackers collect information about the system to which it has gained access, log passwords, and exfiltrate recent .txt .pdf. xls .doc files to a command and control server. In it’s recent waves of attacks, they started to implement a novel way of infecting victims and conduct lateral movement through their network.
The cyber security experts: How the new chain of infection works
The newly Cloud Atlas updated chain of infection postpones the execution of PowerShower until a later stage; instead, after the initial infection, a malicious HTML app is now downloaded and executed on the target machine. This application will then collect initial information about the attacked computer, and download and execute VBShower – another malicious module. VBShower then erases evidence of the presence of malware in the system and consults with its masters through command and control servers, to decide on further actions. Depending on the command received, this malware will then download and execute either PowerShower or another well-known second stage backdoor.