Cloud Atlas网络间谍组织钓鱼攻击

The threat actor referred to as Cloud Atlas has been linked to a set of spear-phishing attacks on Russian enterprises.

被称为Cloud Atlas的威胁行为者已与针对俄罗斯企业的一系列钓鱼攻击有关。

Targets included a Russian agro-industrial enterprise and a state-owned research company, according to a report from F.A.C.C.T., a standalone cybersecurity company formed after Group-IB's formal exit from Russia earlier this year.

目标包括俄罗斯农业工业企业和一家国有研究公司，根据网络安全公司F.A.C.C.T.的一份报告，该公司在今年早些时候正式退出俄罗斯后独立成立。

Cloud Atlas, active since at least 2014, is a cyber espionage group of unknown origin. Also called Clean Ursa, Inception, Oxygen, and Red October, the threat actor is known for its persistent campaigns targeting Russia, Belarus, Azerbaijan, Turkey, and Slovenia.

Cloud Atlas自2014年以来活跃，是一个来源不明的网络间谍组织。该威胁行为者还被称为Clean Ursa、Inception、Oxygen和Red October，以其针对俄罗斯、白俄罗斯、阿塞拜疆、土耳其和斯洛文尼亚的持续攻击而闻名。

In December 2022, Check Point and Positive Technologies detailed multi-stage attack sequences that led to the deployment of a PowerShell-based backdoor referred to as PowerShower as well as DLL payloads capable of communicating with an actor-controlled server.

2022年12月，Check Point和Positive Technologies详细介绍了一系列多阶段攻击序列，导致部署了一个名为PowerShower的基于PowerShell的后门，以及能够与由威胁行为者控制的服务器通信的DLL负载。

The starting point is a phishing message bearing a lure document that exploits CVE-2017-11882, a six-year-old memory corruption flaw in Microsoft Office's Equation Editor, to kick-start the execution of malicious payloads, a technique Cloud Atlas has employed as early as October 2018.

起点是一条含有诱饵文档的钓鱼消息，利用CVE-2017-11882，这是Microsoft Office Equation Editor中一个六年前的内存破坏漏洞，用于启动恶意负载的执行。Cloud Atlas早在2018年10月就采用了这种技术。

"The actor's massive spear-phishing campaigns continue to use its simple but effective methods in order to compromise its targets," Kaspersky noted in August 2019. "Unlike many other intrusion sets, Cloud Atlas hasn't chosen to use open source implants during its recent campaigns, in order to be less discriminating."

"该行为者的大规模钓鱼活动继续使用其简单而有效的方法来 compromise 其目标，"Kaspersky在2019年8月指出。"与许多其他入侵集不同，Cloud Atlas在其最近的攻击中选择没有选择使用开源植入物，以避免过于歧视性。"

F.A.C.C.T. described the latest kill chain as similar to the one described by Positive Technologies, with successful exploitation of CVE-2017-11882 via RTF template injection paving the way for shellcode that's responsible for downloading and running an obfuscated HTA file. The mails originate from popular Russian email services Yandex Mail and VK's Mail.ru.

F.A.C.C.T.描述的最新 kill chain 与Positive Technologies描述的相似，成功利用CVE-2017-11882通过RTF模板注入开辟了道路，为负责下载和运行经过混淆的HTA文件的 shellcode 打开了道路。这些邮件源自俄罗斯流行的电子邮件服务Yandex Mail和VK的Mail.ru。

The malicious HTML application subsequently launches Visual Basic Script (VBS) files that are ultimately responsible for retrieving and executing an unknown VBS code from a remote server.

随后，恶意HTML应用程序启动最终负责从远程服务器检索并执行未知VBS代码的Visual Basic Script（VBS）文件。

"The Cloud Atlas group has been active for many years, carefully thinking through every aspect of their attacks," Positive Technologies said of the group last year.

去年，Positive Technologies称这个组织 "Cloud Atlas 组织多年来一直活跃，精心思考他们攻击的每个方面。"

"The group's toolkit has not changed for years—they try to hide their malware from researchers by using one-time payload requests and validating them. The group avoids network and file attack detection tools by using legitimate cloud storage and well-documented software features, in particular in Microsoft Office."

该组织的工具包多年来一直没有变化-他们通过使用一次性的 payload 请求并验证它们来尝试隐藏恶意软件。该组织通过使用合法的云存储和Microsoft Office中的文件来规避网络和文件攻击检测工具。

The development comes as the company said that at least 20 organizations located in Russia have been compromised using Decoy Dog, a modified version of Pupy RAT, attributing it to an advanced persistent threat actor it calls Hellhounds.

此消息发布之际，公司表示至少有20家位于俄罗斯的组织已经受到 "Decoy Dog" 的侵害，这是Pupy RAT的修改版本，将其归因于他们所称的高级持续威胁行为者 "Hellhounds"。

The actively maintained malware, besides allowing the adversary to remotely control the infected host, comes with a scriptlet designed to transmit telemetry data to an "automated" account on Mastodon with the name "Lamir Hasabat" (@lahat) on the Mindly.Social instance.

这款积极维护的恶意软件除了允许攻击者远程控制被感染主机外，还配备了一个脚本，旨在将遥测数据传输到Mastodon上的一个名为 "Lamir Hasabat"（@lahat）的 "自动化" 账户。

"After materials on the first version of Decoy Dog were published, the malware authors went to a lot of effort to hamper its detection and analysis both in traffic and in the file system," security researchers Stanislav Pyzhov and Aleksandr Grigorian said.

"在第一个版本的Decoy Dog的材料发布之后，恶意软件的作者付出了很多努力来阻碍它在流量和文件系统中的检测和分析，"安全研究人员Stanislav Pyzhov和Aleksandr Grigorian说。

原文始发于微信公众号（知机安全）：Cloud Atlas网络间谍组织钓鱼攻击