Cloud Atlas Uses Polymorphic Techniques to Avoid DetectionAPT Group Adds New Infection Chain to Its Usual Malware and Tactics
The group behind the Cloud Atlas advanced persistent threat campaigns, which were first detected five years ago, is now deploying polymorphic techniques designed to avoid monitoring and detection, according to researchers at Kaspersky Lab's global research and analysis team.
The cyber espionage group, also known as Inception, is expanding its targets beyond government and religious organizations to include those in the international economics and aerospace industries, the researchers say.
The polymorphic techniques in a malicious HTML application and a new backdoor called VBShower make detecting the malware more difficult because the code in the modules is unique in each instance of infection, the researchers say. Malware using such techniques can slip past security solutions that rely on standard indicators of compromise, they add.
"The use of polymorphic codes prevent the possibility of finding attackers by using common IOC such as file hashes, file name, etc.," Felix Aime, a Kaspersky security researcher, tells Information Security Media Group. "Nowadays, cyberattackers use victim-specific codes - producing different filenames and file hashes for each victim - in order to prevent this kind of correlation."
Keeping Tactics and Malware the Same
Cloud Atlas' malware and its tactics, techniques and procedures haven't changed much since 2018, but the use of the polymorphic techniques is part of an updated infection chain, Kaspersky researchers write in a blog post. Cloud Atlas also is continuing to use these tactics against high-value targets, although it appears to be expanding the types of organizations it's targeting with its cyber espionage operations.
For years, the group has attacked government and religious organizations in many countries, including Russia, Romania, Ukraine, Afghanistan, Turkey and Portugal. But its most recent attacks in Eastern Europe, Central Asia and Russia have targeted organizations in the international economics and aerospace industries as well, the Kaspersky researchers say.
The goal of the attacks is to access systems and collect information, log passwords and exfiltrate recent .txt, .pdf, xls .doc files to its own command-and-control server.
Although Cloud Atlas' tactics haven't changed in any dramatic way, its methods of infection have evolved, the researchers say. Below is a diagram of the group's old infection chain used before a new wave of attacks beginning in April:
The old attacks began with a spear-phishing email containing a malicious attachment. Once in the system, the PowerShower malware was deployed to investigate the compromised system and download additional malicious modules, exploiting the CVE-2017-11882 and CVE-2018-0802 flaws in Microsoft Office software.
The updated infection chain used in recent attacks takes a different approach, as seen in the diagram below:
In the newer campaigns, the initial infection remains the same, but the deployment of PowerShell doesn't happen until later, the researchers explain. Instead, the initial infection is followed by dropping the malicious HTA to collect the initial information about the attacked system. VBShower, another malicious module that erases any trace of the malware in the system and communicates with the attackers via the command-and-control servers on additional actions, also is downloaded. VBShower then downloads and executes either the PowerShower backdoor or Stage2, another second-stage backdoor.
The Polymorphic Challenge
It's in these additional steps that the polymorphic techniques appear, which create challenges for security solutions.
"Polymorphic malware dates back to at least 1990, so it's been around for a significant time," Richard Gold, head of security engineering at cybersecurity vendor Digital Shadows, tells ISMG. "It's a fairly common technique to use, and even very popular public frameworks such as Metasploit have the capability to generate polymorphic code."
When used by bad actors, "it is used to generate a unique set of code, and thereby a unique hash (such as MD5 or SHA256) per infection," Gold says. "This means that anti-virus [solutions] can no longer rely exclusively on static signatures, but rather need to use dynamic analysis techniques in order to catch polymorphic malware."
The evolution of the infection chain and the expanded target list shows that Cloud Atlas "is still a prominent threat against governments and strategic industries such as aerospace," Kaspersky's Aime says. "Cloud Atlas follows the evolution of the security industry and protection solutions, trying to stay under the radar by using victim specific malwares."
But it's not surprising that the group's malware and tactics have remained the same.
"Why change something that works for most of the compromise? ... It's simply a matter of not fixing something that is still not detected by different security solutions 'protecting' the targets," he says. "Cloud Atlas is not the only one that use the same implants even years after its discovery."
The challenge for organizations is how to protect themselves against such attacks when IOCs are no longer as useful. Aime said tools such as endpoint detection and response solutions, Windows Software Restriction Policies, Group Policy Objects and host firewalls can play an important role.
Digital Shadows' Gold says that modern EDR and next-generation anti-virus systems "do more than just matching signatures and use heuristics and in-memory scanning techniques to catch malware which uses polymorphic techniques to evade detection. They use a combination of static and dynamic analysis in order to catch malware using these polymorphic techniques."