23 February Cloud Atlas Hackers Add Polymorphic Malware to Their Toolkit February 23, 2020 Privacy, Security, Social Media, Technology Cyber-espionage group Cloud Atlas has added polymorphic malware to its arsenal to avoid having its operations detected and monitored with the help of previously collected indicators of compromise (IOCs). The hacking group also known as Inception [1, 2] was initially identified in 2014 by Kaspersky's Global Research and Analysis Team researchers, and it has a history of targeting government agencies and entities from a wide range of industries via spear-phishing campaigns. While the malware and Tactics, Techniques, and Procedures (TTP) Cloud Atlas uses during its operations has remained unchanged since at least 2018, the APT group has now added new polymorphic HTML Application malware dropper in the form of a malicious HTA and a backdoor dubbed VBShower. Old Cloud Atlas infection chain The new infection chain Cloud Atlas employs to infect its targets has been observed by Kaspersky's research team on compromised machines owned by organizations from in Central Asia, Eastern Europe, and Russia, starting with April 2019. After successfully infiltrating a target's systems, the threat actors will make use of their malware's document stealer, password grabbing, and info gathering modules to collect and exfiltrate information which gets sent to command and control (C2) servers they control. Unlike previous campaigns operated by the threat group which started by dropping its PowerShower PowerShell-based validator implant following the exploitation of the CVE-2017-11882and CVE-2018-0802 flaws in Microsoft Office, new attacks observed by Kaspersky start by downloading and launching the polymorphic HTA. "The newly updated chain of infection postpones the execution of PowerShower until a later stage. Instead, after the initial infection, a malicious HTML app is now downloaded and executed on the target machine," says the report. New Cloud Atlas infection chain "This application will then collect initial information about the attacked computer and download and execute VBShower, another malicious module." The VBShower backdoor which also replaces PowerShower as a validator module is then used to download and execute a PowerShower installer or another previously detected and analyzed Cloud Atlas second stage backdoor installer. Right before the second stage installers are dropped on the compromised systems following commands delivered by its masters, VBShower will also make sure that all evidence of the malware is erased. "While this new infection chain is more complicated than the previous model, its main differentiator is that a malicious HTML application and the VBShower module are polymorphic," add the researchers. This makes it possible for the hacking group to always infect their targets using modules that will appear as unique and new, thus making it a lot harder if not impossible for their malicious implants to be detected with the help of previously found IOCs. Recent Cloud Atlas targets "[..] IoC have become obsolete as a reliable tool to spot a targeted attack in your network. This first emerged with ProjectSauron, which would create a unique set of IoC for each of its victims and continued with the trend of using open source tools in espionage operations instead of unique ones," says GReAT reseacher Felix Aime. "Now this is continuing with this recent example of polymorphic malware. This doesn’t mean that actors are becoming harder to catch, but that security skills and the defenders toolkit needs to evolve along with the toolkit and skills of the malicious actors they are tracking." Kaspersky's research team provides a full list of indicators of compromised (IOCs) for the current campaign, including C2 IP addresses, VBShower paths and registry keys, as well as some of the attacker e-mails detected during the recent attacks. Related Posts What is RAT Malware, and Why Is It So Dangerous? If you’ve ever had to call tech support for a PC, then you’re probably familiar with the magic of remote access. When remote access is enabled, authorized computers and servers can control everything that happens on your PC. They can open documents, download software, and even move the cursor around your screen in real time. The WannaCry Security Legacy and What’s to Come Those who were hit by the WannaCry ransomware found themselves in great pains. Their systems and data had been encrypted on them, and they would remain encrypted, unless a demand for payment, typically $300 to $600 worth of bitcoin, was met. 'Agent Smith' Android Malware Infected 25M Devices The malware disguised itself as the Google Updater and modified apps such as WhatsApp, Opera Mini, and Flipkart with a malicious ads module. A new strain of Android malware has infected 25 million devices and modified legitimate apps with a malicious ads module, according to a report by the security company Check Point. New Malware Miner Sneakily Hides When Task Manager Is Open Meet “Norman” – a new variant of monero-mining malware that employs crafty tricks to avoid being spotted. After injection, it overwrites its entry in explorer.exe to conceal evidence of its presence. It also stops operating the miner when the PC’s user opens Task Manager (see image below). Re-injecting itself once Task Manager is not running. What Is Application Shielding? Application shielding is mainly used to protect intellectual property and cut down on piracy; the techniques modify a service's application code, making it more difficult for someone to tamper with it, or to figure out how to remove digital rights locks and steal media like music or movie files. Web Accessibility 101: Designing for All People, Not Most Web design is about accessibility. Most web designers aim to create products for the largest swath of people within their audience, casting their designs out like gaping nets to yield them the greatest influx of users. And while there’s logic to that design principle, it overshadows a somewhat simpler and more inclusive principle: Design for all people, not most.