Cloud Atlas using a new backdoor, VBCloud, to steal data
Dec. 23, 2024, 3:16 p.m.
Tags
External References
Description
Cloud Atlas, a threat group active since 2014, has introduced a new backdoor called VBCloud in its latest campaign targeting Eastern Europe and Central Asia. The attack chain begins with phishing emails containing malicious documents exploiting CVE-2018-0802. The infection process involves downloading and executing an HTA file, which then deploys the VBShower backdoor. VBShower installs both VBCloud and PowerShower backdoors. VBCloud replicates previous capabilities, including downloading and executing malicious plugins, communicating with cloud servers, and performing various tasks. The campaign aims to steal data from victim devices, with VBCloud collecting system information and exfiltrating files. PowerShower is used for network reconnaissance and further infiltration.
Date
Published: Dec. 23, 2024, 1:25 p.m.
Created: Dec. 23, 2024, 1:25 p.m.
Modified: Dec. 23, 2024, 3:16 p.m.
Indicators
kim.nl.tab.digital
webdav.mydrive.ch
yandisk.info
yandesktop.com
yandesks.net
web-wathapp.com
web-privacy.net
triger-working.com
sber-cloud.info
riamir.net
office-confirm.com
net-plugin.org
mirconnect.info
control-issue.net
gosportal.net
content-protect.net
Attack Patterns
PowerShower - S0441
VBShower - S0442
VBCloud
Cloud Atlas
T1003.001
T1059.005
T1074
T1059.001
T1547.001
T1012
T1087
T1573
T1070
T1518
T1082
T1057
T1083
T1055
T1036
T1204
T1033
T1560
T1053
T1041
T1566
CVE-2018-0802
Additional Informations
Government
Kyrgyzstan
Canada
Moldova, Republic of
Belarus
Israel
Russian Federation