Threat Research

Cloud Atlas targets entities in Russia and Belarus amid the ongoing war in Ukraine – Check Point Research

Securonix

Cloud Atlas (Inception) is a long-running cyber-espionage group whose focus has narrowed to Russia, Belarus, and contested regions in Ukraine and Moldova since 2021–2022, including Crimea and Donetsk/Luhansk. In the past year they staged targeted intrusions using spear-phishing with remote templates, introduced a proxy-capable DLL proxy, and employed cloud storage (WebDAV/OpenDrive) for C2 and payload delivery, illustrating a region-focused yet persistent operation. #CloudAtlas #Inception #PowerShower #OpenDrive #WebDAV #Transnistria #Russia #Belarus

Keypoints

  • Cloud Atlas has continuously targeted government, diplomatic, energy, and industrial entities, with a recent emphasis on Russia, Belarus, and conflict areas (Crimea, Lugansk, Donetsk, Transnistria).
  • The group’s basic TTPs have remained relatively stable over time, but their target scope and regional focus have shifted with geopolitical developments.
  • A newly observed tool extends their capabilities: a DLL (rtcpsvc.dll) used to proxy connections between peers, enabling relay of commands through compromised machines.
  • Initial access is achieved via spear-phishing emails with malicious attachments that retrieve remote templates, often whitelisted to the target to evade analysis.
  • PowerShower, a PowerShell-based backdoor, remains a core component, with proxy awareness and XML/PowerShell command execution features, plus simple obfuscation.
  • Cloud Atlas uses OpenDrive (WebDAV) for C2 and payload delivery, storing victim environment data as files and retrieving subsequent payloads from configured URIs.

MITRE Techniques

  • [T1566.001] Spearphishing Attachment – “Cloud Atlas has used spear-phishing emails containing malicious attachments as their initial attack vector for many years.”
  • [T1059.001] PowerShell – “The next stage of a Cloud Atlas attack is usually a PowerShell-based backdoor called PowerShower.”
  • [T1090] Proxy – “PowerShower proxy awareness: if a proxy is enabled on the infected machine, the malware uses it when issuing the requests to the C&C server.”
  • [T1027.001] Obfuscated/Compressed Files and Information – “PowerShower is stored on the disk with simple obfuscation of Base64-encoding and string concatenation.”
  • [T1567.002] Exfiltration to Cloud Storage – “the malware uses cloud storage providers to communicate via WebDAV protocol. In the samples we observed, Cloud Atlas used OpenDrive as its service of choice.”
  • [T1003.003] NTDS Credential Dumping – “the actors extract the snapshot of its database using the ntdsutil utility and copy it to their server for offline analysis and extraction of password hashes.”
  • [T1021.001] Remote Services: RDP – “the attackers use the infected computers of ordinary users, from which they then connect via RDP to the domain controller.”

Indicators of Compromise

  • [File Hash] context – a34d585f66fc4582ed709298d00339a9, b1aad1ed2925c47f848f9c86a4f35256, and 2 more hashes
  • [Domain] context – desktoppreview[.]com, gettemplate[.]org, and 7 more domains
  • [IP] context – 146.70.88.123, 185.227.82.21
  • [File Name] context – beachmaster.dll, examinere, and 2 more files

Read more: https://research.checkpoint.com/2022/cloud-atlas-targets-entities-in-russia-and-belarus-amid-the-ongoing-war-in-ukraine/