Dismiss this notice
Avast Premier Photo Caption - [Only registered and activated users can see links Click here to register]

Dismiss this notice
FastestVPN Accounts Giveaway - [Only registered and activated users can see links Click here to register]

Thread Rating:
  • 1 Vote(s) - 5 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Recent Cloud Atlas activity
[Image: Recent-Cloud-Atlas-activity-1.png]

Also known as Inception, Cloud Atlas is an actor that has a long history of cyber-espionage operations targeting industries and governmental entities. We first reported Cloud Atlas in 2014 and we’ve been following its activities ever since.

From the beginning of 2019 until July, we have been able to identify different spear-phishing campaigns related to this threat actor mostly focused on Russia, Central Asia and regions of Ukraine with ongoing military conflicts.

Cloud Atlas hasn’t changed its TTPs (Tactic Tools and Procedures) since 2018 and is still relying on its effective existing tactics and malware in order to compromise high value targets.

The Windows branch of the Cloud Atlas intrusion set still uses spear-phishing emails to target high profile victims. These emails are crafted with Office documents that use malicious remote templates – whitelisted per victims – hosted on remote servers. We described one of the techniques used by Cloud Atlas in 2017 and our colleagues at Palo Alto Networks also wrote about it in November 2018.

Previously, Cloud Atlas dropped its “validator” implant named “PowerShower” directly, after exploiting the Microsoft Equation vulnerability (CVE-2017-11882) mixed with CVE-2018-0802. During recent months, we have seen a new infection chain, involving a polymorphic HTA, a new and polymorphic VBS implant aimed at executing PowerShower, and the Cloud Atlas second stage modular backdoor that we disclosed five years ago in our first blogpost about them and which remains unchanged.

Let’s meet PowerShower

PowerShower, named and previously disclosed by Palo Alto Networks in their blogspot (see above), is a malicious piece of PowerShell designed to receive PowerShell and VBS modules to execute on the local computer. This malware has been used since October 2018 by Cloud Atlas as a validator and now as a second stage. The differences in the two versions reside mostly in anti-forensics features for the validator version of PowerShower.
[Only registered and activated users can see links Click here to register]
[-] The following 1 user Likes harlan4096's post:
  • silversurfer

Forum Jump:

Users browsing this thread: 1 Guest(s)
You have to register before you can post on our site.



Recent Posts
FastMove v 1.2019.807 [for PC]
Move your files...ismail — 16:21
Vision Pro[for PC]
About Vision Pro:...ismail — 16:13
Qihoo 360 Total Security
360 Total Security...harlan4096 — 16:09
Ashampoo Undeleter 1.11[for PC]
  Ashampoo Undelet...ismail — 16:04
GFYI [Official] FastestVPN Accounts Giv...
"WHY do you wan...kubik67 — 11:44

Today's Birthdays
avatar (41)Susanskymn
avatar (35)stepaRurry
Upcoming Birthdays
avatar (33)emogig
avatar (35)Isabelle88Nes
avatar (35)ferpuMip
avatar (32)kinotExaro
avatar (44)HerbertPab
avatar (33)JasonSoult

Online Staff
harlan4096's profile harlan4096