Today > 2 Critical | 5 High | 12 Medium | 1 Low vulnerabilities   -   You can now download lists of IOCs here!

Cloud Atlas using a new backdoor, VBCloud, to steal data

Dec. 23, 2024, 3:16 p.m.

Description

Cloud Atlas, a threat group active since 2014, has introduced a new backdoor called VBCloud in its latest campaign targeting Eastern Europe and Central Asia. The attack chain begins with phishing emails containing malicious documents exploiting CVE-2018-0802. The infection process involves downloading and executing an HTA file, which then deploys the VBShower backdoor. VBShower installs both VBCloud and PowerShower backdoors. VBCloud replicates previous capabilities, including downloading and executing malicious plugins, communicating with cloud servers, and performing various tasks. The campaign aims to steal data from victim devices, with VBCloud collecting system information and exfiltrating files. PowerShower is used for network reconnaissance and further infiltration.

Date

Published: Dec. 23, 2024, 1:25 p.m.

Created: Dec. 23, 2024, 1:25 p.m.

Modified: Dec. 23, 2024, 3:16 p.m.

Indicators

kim.nl.tab.digital

webdav.mydrive.ch

yandisk.info

yandesktop.com

yandesks.net

web-wathapp.com

web-privacy.net

triger-working.com

sber-cloud.info

riamir.net

office-confirm.com

net-plugin.org

mirconnect.info

control-issue.net

gosportal.net

content-protect.net

Attack Patterns

PowerShower - S0441

VBShower - S0442

VBCloud

Cloud Atlas

T1003.001

T1059.005

T1074

T1059.001

T1547.001

T1012

T1087

T1573

T1070

T1518

T1082

T1057

T1083

T1055

T1036

T1204

T1033

T1560

T1053

T1041

T1566

CVE-2018-0802

Additional Informations

Government

Kyrgyzstan

Canada

Moldova, Republic of

Belarus

Israel

Russian Federation