Notorious APT upgrades its tools to evade detection

Read time 3min 30sec

A notorious advanced persistent threat (APT), called Cloud Atlas or Inception, has updated its attack arsenal with tools that enable it to avoid detection through standard indicators of compromise (IOC).

So says Internet security giant Kaspersky, adding that Cloud Atlas boasts a long history of cyber-espionage operations targeting industries, government agencies and other organisations. It was first discovered in 2014 and remained active since then. 

Recently, Kaspersky’s researchers have seen Cloud Atlas targeting the international economics and aerospace industries as well as governmental and religious organisations in Portugal, Romania, Turkey, Ukraine, Russia, Turkmenistan, Afghanistan, Kyrgyzstan and others.

Successful infiltration enables the APT to collect information about the system to which it has gained access, including log passwords, as well as exfiltrate recent .txt .pdf. xls and .doc files to a command and control server.

“While Cloud Atlas hasn’t dramatically changed its tactics,  recent waves of attacks research has discovered it has started to implement a novel way of infecting its victims and conducts lateral movement through their network,” says Kaspersky.

Originally, it would initially send a spear-phishing e-mail with a malicious attachment to a target. If the e-mail succeeded, malware called PowerShower would perform reconnaissance as well as download additional malicious modules, which would then be executed to allow attackers to proceed with their operation. The newly updated chain of infection only executes PowerShower at a later stage. After the initial infection, a malicious HTML app is now downloaded and executed on the victim’s computer. The application will then collect initial information about the compromised machine and download and execute VBShower, an additional malicious module. 

What is clever, is that VBShower then erases evidence of the presence of malware in the system and consults with its authors through command and control servers, to decide on further actions. “Depending on the command received, this malware will then download and execute either PowerShower or another well-known Cloud Atlas’ second stage backdoor,” explains Kaspersky

Although the new infection chain is in general much more complicated than the previous model, its main differentiator is the fact that a malicious HTML application and the VBShower module are polymorphic, meaning the code in both modules will be new and unique in each case of infection. Essentially, the new version renders the malware invisible to security solutions relying on familiar IOCs. 

Felix Aime, security researcher in the Kaspersky Global Research and Analysis Team, says it has become good practice in the security community to share the IOCs of malicious operations found through research. 

“This practice allows us to respond to ongoing international cyber-espionage operations quite swiftly, preventing any further damage they could cause. However, as we predicted as early as 2016, IOCs have become obsolete as a reliable tool to spot a targeted attack in your network. This first emerged with ProjectSauron, which would create a unique set of IOC for each of its victims and continued with the trend of using open source tools in espionage operations instead of unique ones,” he adds.

According to Aime, this doesn’t necessarily mean that threat actors are becoming harder to catch, but that security skills and the defender's toolkit need to evolve along with the toolkit and skills of the malicious actors they are tracking.

Kaspersky recommends that organisations use anti-targeted attack solutions enhanced with indicators of attack (IOA) that focus on the tactics, techniques or actions that cyber criminals may take when preparing for an attack. IOAs track the techniques deployed, no matter what specific tools are used. In addition, it recommends that companies educate their staff on digital hygiene and explain how they can recognise and avoid potentially malicious e-mails or links.

Login with