Kaspersky Lab’s Global Research & Analysis Team has just disclosed details of months long monitoring of a new APT codenamed “Cloud Atlas” after the famous film by Vachovsky-Tykwer. This complex cyber-espionage operation is the “spiritual successor” to the RedOctober campaign, and most likely has the same people behind it.
The RedOctober operation was hastily wrapped-up just after Kaspersky Lab’s publication in January 2013. Considering its global scope and the large investments behind the campaign, there was no reason to expect that RedOctober would just go away completely.
Cloud Atlas was first detected in August 2014. Some of Kaspersky Lab’s product users observed targeted attacks with a variation of CVE-2012-0158 and an unusual set of malware.
Partly Cloudy October: a spiritual successor to RedOctober #APT revealedTweet
The aforementioned vulnerability was present in Windows Common Controls and allowed remote code execution. It affected a large number of Microsoft products, namely 32-bit versions of Microsoft Office 2003, 2007 and 2010, Microsoft SQL Server 2000, 2005, 2008 and 2008 R2, along with Fox Pro, Visal Basic and some other Microsoft server software. This is quite a large attack surface. However, Cloud Atlas’ initial attack vector was spearphishing Microsoft Word docs (with an old .doc filename extension). Most of the docs listed by GReAT have Russian names. However, one of them – the one that raised suspicions Cloud Atlas may be related to RedOctober – has the name “Car for sale.doc”. RedOctober used “Diplomatic Car for Sale.doc”.
Further analysis supported the theory: there are multiple technical similarities, showing that (most likely) the same people who created malware tools for RedOctober did so for Cloud Atlas as well.
- Both Cloud Atlas and RedOctober malware implants rely on a similar construct, with a loader and the final payload that is stored, encrypted, and compressed in an external file. However, there are different encryption algorithms used.
- Both malicious programs share the code for LZMA compression algorithm. In Cloud Atlas it is used to compress the logs and to decompress the decrypted payload from the C&C servers, while in RedOctober the “scheduler” plugin uses it to decompress executable payloads from the C&C. The implementation of the algorithm is identical in both malicious modules, but the way it is invoked is a bit different.
- Binaries for both RedOctober and Cloud Atlas seem to be compiled using the same version of the Microsoft Visual Studio up to the build number version and using similar project configurations.
- There is a distinct “target overlapping” between RedOctober and Cloud Atlas, with most of the targets for both located in Russia and Kazakhstan.
The most unique and distinct feature of the Cloud Atlas APT is the fact that the exploit does not write the backdoor on the disk directly. Instead, it places an encrypted Visual Basic script that drops a polymorphic loader and an encrypted payload, which has a different name every time. The registry key in HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun is also added in order to ensure persistence.
Cloud Atlas is indeed a continuation of RedOctober – a large-scale cyber espionage operation targeting the same entities – military, diplomatic, etc.
#CloudAtlas targets the same entities as #RedOctoberTweet
This APT campaign may pose a threat for businesses closely associated with the targeted entities (they may be used as a source of the additional “leverage” data in order to conduct spearphishing attacks in the future). The more distressing factor here is that APT methods and techniques soon won’t be limited to cyber espionage (of an apparently political nature): Kaspersky Lab’s GReAT expects at least some degree of “merger” between APT and more “common” cybercrimes in the near future. We recommend that IT workers pay close attention to APTs, even if their employers have no connections with the industries targeted by APTs today.
A detailed technical report is available here