Experts from F.A.C.C.T. prevented two attacks aimed at Russian organizations. They are allegedly backed by a Russian-speaking APT group that has been active for more than ten years.
Atlas of attack stages
Experts from F.A.C.C.T. (formerly Group-IB) reported a large-scale phishing campaign targeting Russian enterprises. At the moment, attempts are known to attack an agro-industrial company and a certain state-owned research company. In F.A.C.C.T. claim that the cyber espionage group Cloud Atlas, which is also known under the names Clean Ursa, Inception, Oxygen and Red October, is behind the attack.
Operators of this group have repeatedly tried to attack enterprises not only in Russia, but also in Belarus, Azerbaijan, Turkey and Slovenia.
Cloud Atlas is an APT group that has been active since at least 2014 (and most likely much earlier) and specializes in cyber espionage and theft of confidential information. The main attack vector is targeted email with a malicious attachment. This time, the attackers “used addresses registered through the popular mail services [email protected] and [email protected] and two current topics - support for SVO participants and military registration,” says the Russian-language publication F.A.C.C.T.
When a user opens a document from an email attachment, a remote template is downloaded via a link - an RTF file that contains an exploit for the old vulnerability CVE-2017-11882. Exploitation of this “bug” leads to the launch of shellcode, which in turn loads an obfuscated HTA file (HTML application), which creates the file %APPDATA%\Microsoft\Windows\khaki.xml, and in alternative streams of its data - files khakiing.vbs, khaki.vbs, khaki.hxn and khakiinit.vbs.
The file khaki.xml:khaki.hxn contains the so-called. “payload”, VBS code designed to download the next stage from the attackers’ server and transfer control to it. The next stage, as noted in the F.A.C.C.T. publication, also represents VBS code, but experts were unable to intercept it.
The above .hxn file carries out pinning procedures in the system and network interaction with the attacker’s server. All these actions are carried out in an endless loop.
Language: Russian, qualification: high
Cloud Atlas has attracted attention many times in recent years. Whoever is behind this APT group, these are clearly people who speak Russian and are highly qualified.
Apparently, they were also behind the Red October operation, described in 2013 by Kaspersky Lab experts.
In December 2022, in their own analysis, Positive Technologies experts noted that Cloud Atlas operators are not inclined to change their tools for a very long time. And, as you can see, the vulnerability that was exploited this time cannot be called new either.
“It’s obvious that Cloud Atlas operators know how slow it is to update office suites in the organizations they target,” says SEQ CTO Alexey Vodyasov. According to him, the main means of delivering malware remains phishing, which does not lose its effectiveness despite the abundance of publications about it or the numerous technical means for its prevention. “However, in this case, the attacks were prevented thanks to the XDR system, which is at least a little encouraging,” concluded Alexey Vodyasov.
And indeed, according to the authors of the publication in F.A.C.C.T., the mentioned attacks on a government organization and an agro-industrial company in Russia were stopped.
Atlas of attack stages
Experts from F.A.C.C.T. (formerly Group-IB) reported a large-scale phishing campaign targeting Russian enterprises. At the moment, attempts are known to attack an agro-industrial company and a certain state-owned research company. In F.A.C.C.T. claim that the cyber espionage group Cloud Atlas, which is also known under the names Clean Ursa, Inception, Oxygen and Red October, is behind the attack.
Operators of this group have repeatedly tried to attack enterprises not only in Russia, but also in Belarus, Azerbaijan, Turkey and Slovenia.
Cloud Atlas is an APT group that has been active since at least 2014 (and most likely much earlier) and specializes in cyber espionage and theft of confidential information. The main attack vector is targeted email with a malicious attachment. This time, the attackers “used addresses registered through the popular mail services [email protected] and [email protected] and two current topics - support for SVO participants and military registration,” says the Russian-language publication F.A.C.C.T.
When a user opens a document from an email attachment, a remote template is downloaded via a link - an RTF file that contains an exploit for the old vulnerability CVE-2017-11882. Exploitation of this “bug” leads to the launch of shellcode, which in turn loads an obfuscated HTA file (HTML application), which creates the file %APPDATA%\Microsoft\Windows\khaki.xml, and in alternative streams of its data - files khakiing.vbs, khaki.vbs, khaki.hxn and khakiinit.vbs.
The file khaki.xml:khaki.hxn contains the so-called. “payload”, VBS code designed to download the next stage from the attackers’ server and transfer control to it. The next stage, as noted in the F.A.C.C.T. publication, also represents VBS code, but experts were unable to intercept it.
The above .hxn file carries out pinning procedures in the system and network interaction with the attacker’s server. All these actions are carried out in an endless loop.
Language: Russian, qualification: high
Cloud Atlas has attracted attention many times in recent years. Whoever is behind this APT group, these are clearly people who speak Russian and are highly qualified.
Apparently, they were also behind the Red October operation, described in 2013 by Kaspersky Lab experts.
In December 2022, in their own analysis, Positive Technologies experts noted that Cloud Atlas operators are not inclined to change their tools for a very long time. And, as you can see, the vulnerability that was exploited this time cannot be called new either.
“It’s obvious that Cloud Atlas operators know how slow it is to update office suites in the organizations they target,” says SEQ CTO Alexey Vodyasov. According to him, the main means of delivering malware remains phishing, which does not lose its effectiveness despite the abundance of publications about it or the numerous technical means for its prevention. “However, in this case, the attacks were prevented thanks to the XDR system, which is at least a little encouraging,” concluded Alexey Vodyasov.
And indeed, according to the authors of the publication in F.A.C.C.T., the mentioned attacks on a government organization and an agro-industrial company in Russia were stopped.
