Cloud Atlas is a pro-government advanced persistent threat (APT) group that specializes in cyber espionage and theft of confidential information. The group has been active since at least 2014 and is known for targeting organizations in Russia, Belarus, Azerbaijan, Turkey, and Slovenia. They have been observed using various tactics and techniques to carry out their attacks, including spear-phishing emails with malicious attachments and exploiting vulnerabilities in popular software.
In a recent campaign, Cloud Atlas targeted a Russian agro-industrial enterprise and a state-owned research company. The hackers sent their victims phishing emails with malicious attachments, which were carefully crafted to mimic government statements, media articles, business proposals, or advertisements. The attackers used reconnaissance documents to gather the IP information of the victims and exploited a vulnerability in CVE-2017-11882 via RTF template injection to gain initial access to the targets' systems.
Cloud Atlas is known for its simple but effective methods in carrying out spear-phishing campaigns. The group has not been observed using open-source implants in its recent campaigns, possibly to be less discriminating. The group's toolkit has not changed for years, and they continue to refine their attacks to avoid detection
IoC
MD5
- 0957edfec31dd2dd05d484eed90593c7
- 0a850c27c8ce24c0a6fa5bcf7504dc30
- 27d49df3e0122152dc9a3f752a099f39
- 2e950fe4bd76088f89433a6f2146cb67
- 7bdb049cb0cc3623e4fa1d8e2574f1ce
- 965d5dc42ee1efdcbc52d061624526c7
- 9c5a6ede9b0ca906cbc121cc5496b714
- b0de9d6133d73c32b243cf716a7c614c
- b1995d8a9df9bd8ce23d38b0ab454580
- b3de2f04ceb97f8e9164399649433e1e
- cd8141f094cfb0dae11747ee9dc74a2f
- ddbc081392ffa41bcb3e7a007edf727b
- efd493e8ebcd66f9404338532519eb90
- f611cb1a320a9d3b5df4b70b37b0fd73
SHA1
- 07735f3da5f5847e9df43034459e3ead4c1f3f35
- 151e9e6defac4a67be8916a1e119917b69e053ac
- 3375772e3bc60614e3e398fd019c8931d2ad83c9
- 3b2109317985de28d16aef6306ba5a788eb121bf
- 44a21627eed099a55e5592509e6e3333c5d3d339
- 53cea3a93a481a710e821d9c3e087fc18fb989f9
- 6efed9d4e8ae02808bed488566f90a4ecc361546
- 7329424eba132feebba57e239000331e886b1656
- 7c8479a818ea21fc228334dfdd55044866a95026
- 85a24692089d1a8dc6354a88b6f1e08567db6b0d
- 877f95ee15adb5540d0b50509a14d1cdf89fe3e1
- a03a699031e956b4fde1ced6309b67853a54602a
- a176a164e728c929f70ab2ffa44213625ae17172
- d59f3f2b5132ff23e3fa6d88f1b97b299af38507
REFERENCES
- https://thehackernews.com/2023/12/cloud-atlas-spear-phishing-attacks.html
- https://therecord.media/cloud-atlas-targets-russian-orgs-war-phishing
- https://www.facct.ru/blog/cloud-atlas/
- https://otx.alienvault.com/pulse/658c94713412afcbac226057
TAGS
Cloud Atlas, apt, phishing, vbs, rtf, maldoc, CVE-2017-11882, HTA