Cloud Atlas, a persistent cyber espionage group operating since at least 2014, has been identified in a recent report by F.A.C.C.T. as the culprit behind a series of spear-phishing attacks targeting Russian enterprises.
The targets encompass a Russian agro-industrial enterprise and a state-owned research company, shedding light on the threat actor’s ongoing interest in strategic sectors.
Historical Context of Cloud Atlas
Known by various aliases such as Clean Ursa, Inception, Oxygen, and Red October, Cloud Atlas has a track record of engaging in cyber campaigns in Russia and Belarus, Azerbaijan, Turkey, and Slovenia.
The threat actor’s longevity and its adaptability and resilience against detection.
Attack Vector and Techniques
Recent findings from December 2022 by Check Point and Positive Technologies extracted a multi-stage attack by Cloud Atlas.
The attack vector involved a phishing message housing a lure document exploiting CVE-2017-11882, an aging memory corruption flaw in Microsoft Office’s Equation Editor.
Image Description: Killchain attacks APT Cloud Atlas
This flaw serves as a gateway for executing malicious payloads, a tactic Cloud Atlas has employed since at least October 2018.
Spear-Phishing Tactics
Cloud Atlas continues to leverage spear-phishing as a primary method, utilizing simple yet effective techniques to compromise its targets.
The group’s avoidance of open-source implants and preference for one-time payload requests contribute to its evasion of detection, distinguishing it from other intrusion sets.
Using popular Russian email services, such as Yandex Mail and VK’s Mail.ru, in phishing campaigns adds a layer of authenticity to their tactics.
Analysis of the Evolving Chameleon Android Banking Trojan
A recent report from ThreatFabric sheds light on a new iteration of the Chameleon Android banking trojan, revealing enhanced capabilities and an expanded target landscape.
First detected in early 2023, the malware initially focused on mobile banking applications in Australia and Poland. However, it has since widened its scope to include the UK and Italy.
Early Traits and Development
In its initial discovery, Chameleon exhibited characteristics typical of a work-in-progress. It employed multiple loggers, displayed limited malicious functionality, and contained unused commands, indicating an ongoing development phase.
The trojan used a proxy feature and abused Accessibility Services, enabling attackers to execute Account Takeover (ATO) and Device Takeover (DTO) attacks, primarily focusing on banking and cryptocurrency applications.
Distribution Tactics
Chameleon’s mode of distribution involved phishing pages masquerading as legitimate applications. Leveraging a fair content distribution network (CDN) for file distribution added sophistication to its deceptive tactics.
Zombinder Integration
ThreatFabric’s recent findings point to utilizing Zombinder, a dropper-as-a-service (DaaS), for distributing the updated Chameleon variant.
Zombinder samples employ a sophisticated two-staged payload process, incorporating the Hook malware family alongside Chameleon.
Advanced Features in the New Variant
The latest Chameleon variant introduces a critical feature – a device-specific check triggered upon receiving a command from the command-and-control (C&C) server. This specifically targets the ‘Restricted Settings’ protections introduced in Android 13.
The Trojan prompts the victim to enable the Accessibility service through an HTML page, facilitating DTO attacks.
Beware of the Evolution of Techniques
Despite the passage of time, Cloud Atlas has demonstrated a reluctance to alter its toolkit significantly. Instead, the group focuses on concealing its malware from researchers by employing one-time payload requests and validating them.
Using legitimate cloud storage and well-documented features within Microsoft Office allows Cloud Atlas to circumvent network and file attack detection tools effectively.
The updated variant of Chameleon incorporates task scheduling using the AlarmManager API, a common feature observed in banking trojans but implemented uniquely.
Without the Accessibility option, the malware collects information on user apps, identifies the foreground application, and displays overlays using the ‘Injection’ activity.
What do you think about the negligence of companies considering cyber security as their strategic plan?