Known since 2014, Cloud Atlas targets Eastern Europe and Central Asia. We’re shedding light on a previously undocumented toolset, which the group used heavily in 2024.
Victims get infected via phishing emails containing a malicious document that exploits a vulnerability in the formula editor (CVE-2018-0802) to download and execute malware code. When opened, the document downloads a malicious template formatted as an RTF file from a remote server controlled by the attackers. It contains a formula editor exploit that downloads and runs an HTML Application (HTA) file hosted on the same C2 server. The RTF and HTA downloads are restricted to certain time slots and victim IP addresses: requests are only allowed from target regions.
Read more…
Source: Kaspersky
Related:
- Over nine million cameras and DVRs open to APTs, botnet herders, and voyeurs
October 9, 2018
Millions of security cameras, DVRs, and NVRs contain vulnerabilities that can allow a remote attacker to take over devices with little effort, security researchers have revealed today. All vulnerable devices have been manufactured by Hangzhou Xiongmai Technology Co., Ltd.(Xiongmai hereinafter), a Chinese company based in the city of Hangzhou. But end users won’t be able to tell that ...
- PoC Attack Escalates MikroTik Router Bug to ‘As Bad As It Gets’
October 7, 2018
A new hacking technique used against vulnerable MikroTik routers gives attackers the ability to execute remote code on affected devices. The technique is yet another security blow against the MikroTik router family. Previous hacks have left the routers open to device failures, cyptojacking and network eavesdropping. The hacking technique, found by Tenable Research and outlined on ...
- Fallout Exploit Kit Now Installing the Kraken Cryptor Ransomware
October 4, 2018
The Fallout Exploit has been distributing the GandCrab Ransomware for the past few weeks, but has now switched its payload to the Kraken Cryptor Ransomware. Kraken Cryptor is a Ransomware as a Service (RaaS) that is actively being distributed by affiliates. As this is an affiliate system, we are seeing different bad actors distributing the ransomware using a variety ...
- Turla APT Changes Shape with New Code and Targets
October 4, 2018
The Turla APT group’s extensive activities have diversified this year, representing a mix of old code, new code and fresh targets. Perhaps most interesting, this sophisticated group is branching into using scripts and open-source code in its malware development – a marked departure for an APT best-known for deploying a complex rootkit called Snake, traditionally focused on ...
- Bank Servers Hacked to Trick ATMs into Spitting Out Millions in Cash
October 3, 2018
The US-CERT has released a joint technical alert from the DHS, the FBI, and Treasury warning about a new ATM scheme being used by the prolific North Korean APT hacking group known as Hidden Cobra. Hidden Cobra, also known as Lazarus Group and Guardians of Peace, is believed to be backed by the North Korean government and ...
- Use Windows, macOS? Don’t be hacked by PDF, patch these critical Adobe flaws now
October 2, 2018
Adobe’s scheduled October update for its Acrobat and Reader PDF software addresses 85 vulnerabilities, including dozens of critical flaws that allow arbitrary code execution. The patches also address multiple privilege-escalation and information-disclosure flaws, shoring up Adobe’s PDF software further following a patch for a critical Acrobat and Reader flaw plugged two weeks ago. The bugs affect Acrobat DC ...