Threat Research

APT Cloud Atlas: Unbroken Threat

Securonix

Cloud Atlas is a long-running threat group focused on government targets across Russia, Belarus, Azerbaijan, Turkey, and Slovenia, employing phishing with malicious templates to deliver multi-stage payloads. Their operations include remote Office templates, memory-resident loaders, modular payloads retrieved from control servers, and cloud-based C2 via OpenDrive, with a preference for evading detection through legitimate Microsoft Office features. #CloudAtlas #PowerShower #CVE201711882 #LentaRu #OpenDrive #TemplateInjection

Keypoints

  • Cloud Atlas targets government sectors in Russia, Belarus, Azerbaijan, Turkey, and Slovenia, with espionage and confidential data theft as goals.
  • The initial attack vector is phishing emails with malicious attachments, often leveraging geopolitical issues relevant to the target country.
  • Malicious documents employ Template Injection by linking to remote templates, sometimes delivering an RTF template that exploits CVE-2017-11882; HTA, VBS, and LNK components follow to run payloads.
  • Attack chains include remote template downloads, HTA loading, Equation Editor exploits, memory-resident loaders, and modular payloads retrieved from remote servers via PowerShell/VBScript/macros.
  • Communication uses a COM-based client (CLSID_IServerXMLHTTPRequest2) over an encrypted channel (AES) to a cloud-based control server (OpenDrive), with multiple request types for module loading and data transfer.
  • Targets include a wide range of file types (documents, spreadsheets, PDFs, images) and exfiltrate data from local disks and network shares, often after discovering remote paths.
  • Infrastructure is housed on multiple control servers (e.g., checklicensekey.com, translate-news.net) and hosted content on cloud storage, sometimes disguising servers as legitimate sites; tempmail accounts are used for registration.

MITRE Techniques

  • [T1583] Acquire Infrastructure – The Cloud Atlas group used servers to store remote templates, as well as cloud storage as a control server. “The Cloud Atlas group used servers to store remote templates, as well as cloud storage as a control server.”
  • [T1585] Establish Accounts – The Cloud Atlas group registered cloud service accounts and tempmail mailboxes. “The Cloud Atlas group registered cloud service accounts and tempmail mailboxes.”
  • [T1566.001] Phishing: Spearphishing Attachment – The group sent phishing emails with malicious content. “The Cloud Atlas group sent phishing emails with malicious content.”
  • [T1204.002] User Execution: Malicious File – The group sent emails with malicious DOC and DOCX files. “phishing emails with malicious DOC and DOCX files.”
  • [T1559.001] Inter-Process Communication: Component Object Model – The group used COM components in their tools. “COM components in their tools.”
  • [T1059.001] PowerShell – The group used PowerShell scripts to load and run their components. “PowerShell scripts to load and run their components.”
  • [T1059.005] Visual Basic – The group used Visual Basic scripts to load and run their components. “Visual Basic scripts to load and run their components.”
  • [T1203] Exploitation for Client Execution – The group used vulnerabilities in Microsoft Office components to launch their malicious components. “vulnerability in Equation Editor … exploit payload.”
  • [T1221] Template Injection – The group used a remote template injection technique to hide the malicious payload. “Template Injection attack.”
  • [T1140] Deobfuscate/Decode Files or Information – The group encrypts its components to protect them from discovery and analysis. “encrypts its components to protect them from discovery and analysis.”
  • [T1025] Data from Removable Media – The group used tools to collect information from removable media. “Data from Removable Media.”
  • [T1039] Data from Network Shared Drive – The group used tools to collect information from network devices. “Data from Network Shared Drive.”
  • [T1005] Data from Local System – The group collected data from the local file system. “Data from Local System.”
  • [T1560.002] Archive Collected Data: Archive via Library – The group applies LZNT1 compression to collected data. “Archive Collected Data: Archive via Library.”
  • [T1560.003] Archive Collected Data: Archive via Custom Method – The group used custom data encryption algorithms. “Archive Collected Data: Archive via Custom Method.”
  • [T1119] Automated Collection – The group used automatic data collection from infected machines. “Automated Collection.”
  • [T1573.001] Encrypted Channel: Symmetric Cryptography – The group used AES encryption to hide network communication. “AES encryption to hide network communication.”
  • [T1041] Exfiltration Over C2 Channel – The group used a C2 channel to transfer collected data. “Exfiltration Over C2 Channel.”
  • [T1102] Web Service – The group used the OpenDrive cloud service as a control server. “OpenDrive cloud service as a control server.”

Indicators of Compromise

  • [File] context – Guidelines for consignors-consignees (2022).doc, f2c4281e4d6c11173493b759adfb0eb798ce46650076e7633cf086b6d59fdb98, b3f55d9065dd51a8be2d6c5078866086, 9f4a18adaa094eef06ef88e76b6f4ed777f677e7
  • [File] context – Stay_alert_Corporate_Notice.doc, 482aeb3db436e8d531b2746a513fe9a96407cf4458405680a49605e136858ec5, 3399deafaa6b91e8c19d767935ae0908, b745032dd5cd6f7eba2187fa3c86c775953a5611
  • [File] context – Iranian assessments of V. Putin’s visit to Tehran.doc, 2f97374c76ae10c642a57a8b13d25cbdc070c9098c951ea418d1533ac01dc23c, 61b6e2040d5815d0135b2850137828d9, df80df54f94d56aa436cdc2713e3bc8160ce43f8
  • [File] context – Почему исламский мир не дает Западу изолировать Россию.doc, 3cf2bda35e88c59bb89e7fdc8fcfd4c46b2b9186e61325d2924e049d775b741f, 2b5cec8715e92d87bf6992e003a5651c, 9fc804b58ab43fc5f453810a30ea311fc3f5cbe6
  • [File] context – leptophis[1].doc, c0e154b10d70b99b5616a2eda6bfe188a49f85ed3aa92d48ec9ce709df9d563f, 470c1df23bd825c6e36e1cd5936db912, ba9fc2f0d9f0fcf726a2cbc426f570bea5f22c96
  • [File] context – lep[1].hta, a4194555b19ea32680cc23f8f7d42da02b82eba8b64cb5f4630110f4e2c1ddf3, 66ecc2285e9d172ceb9f0b0ba030c65c, b5cc0a7ff0d8cd151545cbabcaf23c5486acec95
  • [File] context – unbroken.vbs, 59066dc428cde7cc55f3c24c2658d3e288f3f072811d86243a85af14bd482744, 7ce01fc92fc221cad338cea1cfd43a22, 9579b7f3a98657f704575aa4a08ed6ff3d8680a4
  • [File] context – unbroken.vbs.vbs, 4cb6e224b6b03a2f6ac1ac23e6bf097067018b90493ee94f210f66fbbbbdce77, 1aa04f847bd7ec987986ec6e52966b89, 8e23ac686bbc958dd85e46a2d4bb6acaee5aa35f
  • [File] context – list.ps1, 2233c0d4030cc728c2219b1e9c4c05cb262e2ddc7f4ac2f2924767396418c25a, d5a40e2986efd4a182bf564084533763, 89364b9d170ab90d25d30649582679c3d7332b91
  • [Network] api-help.com – example domain, –
  • [Network] driver-updated.com – example domain, –
  • [Network] sync-firewall.com – example domain, –
  • [Network] system-logs.com – example domain, –
  • [Network] technology-requests.net – example domain, –
  • [Network] translate-news.net – example domain, –
  • [Payload filename] callicrates – example payload filename in configuration
  • [Payload filename] tinh – example payload filename in configuration

Read more: https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/apt-cloud-atlas-unbroken-threat/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint