Rewterz Threat Alert – Cloud Atlas Targets Russian Agro and Research Organizations with Spear-Phishing – Active IOCs

Severity

High

Analysis Summary

A threat actor with unknown origins called Cloud Atlas is discovered to be behind multiple spear-phishing attacks targeting Russian organizations. These targets include a Russian agro-industrial entity and a state-owned research company.

Cloud Atlas (aka Inception, Clean Ursa, Red October, and Oxygen) is a cyber espionage group that has been active since at least 2014 and is infamous for its persistent campaigns that usually target Turkey, Russia, Slovenia, Azerbaijan, and Belarus. In last year December, cybersecurity researchers published a detailed report on multi-stage attack sequences that led to a PowerShell-based backdoor being deployed called PowerShower, as well as other DLL payloads that were able to communicate with a command-and-control server.

The initial point of this campaign is a phishing email with a lure document that exploits CVE-2017-11882, which is a six-year-old memory corruption vulnerability in Microsoft Office’s Equation Editor, and it starts the execution of malicious payloads. The latest kill chain is described to be similar to the previous ones with successful exploitation of CVE-2017-11882 using RTF template injection, which makes way for a shellcode that’s responsible for downloading and executing a hidden HTA file. The emails are from popular Russian email services like VK’s Mail.ru and Yandex Mail.

The researchers said, “As part of the new campaign, the attackers used addresses registered through the popular email services antonowadebora@yandex.ru and mil.dip@mail.ru and two current topics – support for SVO participants and military registration.”

The malicious HTML app soon launched Visual Basic Script (VBS) files that are finally used for retrieving an unknown VBS code from a remote server and executing it. The APT’s toolkit has not changed for years and they try to evade detection from security researchers by using one-time payload requests. The threat group also avoids file and network attack detection tools by utilizing legitimate cloud storage and documented software features.

This is followed by a statement by researchers that at least 20 entities in Russia have been infected by Decoy Dog, which is a modified version of Pupy RAT and is attributed to an APT actor called Hellhounds. The malware is actively maintained and allows the adversary to remotely control the compromised system. It also comes with a script that is made for transmitting telemetry data to an automated account on Mastodon going by the “Lamir Hasabat” on Mindly.Social instance.

Impact

• Cyber Espionage
• Sensitive Information Theft
• Code Execution

Indicators of Compromise

Domain Name

• avito-service.net
• network-list.com

MD5

• 7bdb049cb0cc3623e4fa1d8e2574f1ce
• b1995d8a9df9bd8ce23d38b0ab454580
• f611cb1a320a9d3b5df4b70b37b0fd73
• 0957edfec31dd2dd05d484eed90593c7
• 965d5dc42ee1efdcbc52d061624526c7
• b3de2f04ceb97f8e9164399649433e1e
• 2e950fe4bd76088f89433a6f2146cb67
• efd493e8ebcd66f9404338532519eb90
• cd8141f094cfb0dae11747ee9dc74a2f

SHA-256

• e3d2e6f8740bc5a510239af41e77a3e07eaf09f1aa5cda78558035399db3f971
• 8eb6b3ab2d18d01a46cae3cee0987fe8ecdedce2cb80666057a4880c9f37c529
• 6e4349775f77b21b627d39a125cd60ad9f3df46d2b4f2a7a71df0d459cb7c9ae
• cfc3178b710038666a4a4c5676b5c6befea085ad0243663791ae95f65e1468de
• ea91967c2a52b1c09395613f972a319332b678493f4e2ece0e0009e1efd36bec
• b6f14556490908a462f8fb61a46b1b140f40723b5725c93fe4ff87a62f036e80
• baccfa04bf7cf862c05bc7180532cf609df43a091febd3d85524d6689df6e405
• 1e931660cce69add24e405c9fbdd3072190c9f716c1675334f00d0bdbf84bf46
• a8ec7b38eaa239c90e647a47368159fb2a6a94c0e56df5a4d8f33e5b469e7942

SHA-1

• 7329424eba132feebba57e239000331e886b1656
• 7c8479a818ea21fc228334dfdd55044866a95026
• d59f3f2b5132ff23e3fa6d88f1b97b299af38507
• a03a699031e956b4fde1ced6309b67853a54602a
• a176a164e728c929f70ab2ffa44213625ae17172
• 3375772e3bc60614e3e398fd019c8931d2ad83c9
• 07735f3da5f5847e9df43034459e3ead4c1f3f35
• 877f95ee15adb5540d0b50509a14d1cdf89fe3e1
• 85a24692089d1a8dc6354a88b6f1e08567db6b0d

URL

• https://network-list.com/?wkbi.html_handfeed
• https://network-list.com/?wp-content_plugins/photo-gallery/css/bwg-fonts/fonts.css?ver=0.0.1time=1673472550/ballock
• https://network-list.com/?php-tag_zabbix/lowlanders
• https://network-list.com/?products_list108.htmlheader-bottom/nemoricole
• https://network-list.com/?php-wp-content/plugins/contact-form-7/includes/css/styles.css/undesirous
• https://network-list.com/?area_gifu_?iref=pc_gnavi/semisovereignty
• https://network-list.com/?qgcl.html_anapeiratic
• https://network-list.com/?php-business-and-economy/hematomancy
• https://network-list.com/?wp-includes_wlwmanifest.xml/datemark
• https://network-list.com/?rpgg.html_protophloem
• https://network-list.com/?php-pvrg.html_outblunder
• https://network-list.com/protophloem/p21
• https://network-list.com/outblunder/a63
• https://avito-service.net/service/37.html/bersim

Remediation

• Use Microsoft Automatic Update to apply the appropriate patch for your system, or the Microsoft Security Update Guide to search for available patches.
• Block all threat indicators at your respective controls.
• Search for Indicators of compromise (IOCs) in your environment utilizing your respective security controls.
• Emails from unknown senders should always be treated with caution.
• Never trust or open links and attachments received from unknown sources/senders.
• Enable antivirus and anti-malware software and update signature definitions on time. Using multi-layered protection is necessary to secure vulnerable assets
• Along with network and system hardening, code hardening should be implemented within the organization so that their websites and software are secure. Use testing tools to detect any vulnerabilities in the deployed codes.
• Maintain up-to-date patches and antivirus software to prevent the exploitation of known vulnerabilities.
• Organizations should conduct regular vulnerability assessments and penetration testing to identify and mitigate potential security weaknesses.
• Implement robust security measures such as two-factor authentication, endpoint detection and response (EDR) tools, and employee security awareness training.