Cloud Atlas Hacker Group Exploits Microsoft Office Vulnerabilities to Deploy Malicious Code
The Cloud Atlas advanced persistent threat (APT) group has intensified its cyber-espionage activities, targeting organizations across Eastern Europe and Central Asia in the first half of 2025. By exploiting outdated Microsoft Office vulnerabilities, particularly CVE-2018-0802, the group has successfully infiltrated numerous systems, deploying a series of sophisticated backdoor implants to maintain persistent access and exfiltrate sensitive data.
Background on Cloud Atlas
Active since 2014, Cloud Atlas has established itself as a formidable entity in the cyber-espionage landscape. The group’s operations are characterized by continuous refinement of attack methodologies and an expanding toolkit designed to evade detection and enhance persistence within compromised networks.
Exploitation of Microsoft Office Vulnerabilities
The group’s recent campaign leverages CVE-2018-0802, a critical vulnerability in Microsoft Office’s Equation Editor. This flaw allows attackers to execute arbitrary code on targeted systems. The attack typically begins with phishing emails containing malicious documents. When a recipient opens the compromised file, it triggers a complex infection chain that culminates in the deployment of multiple backdoor implants.
Infection Chain and Malware Deployment
Upon opening the malicious document, the following sequence unfolds:
1. Malicious Template Loading: The document loads a template from an attacker-controlled server, which contains an RTF file exploiting the Equation Editor vulnerability.
2. Execution of HTML Application (HTA) File: The exploit downloads and executes an HTA file, initiating the next stage of the infection.
3. Deployment of VBS Scripts: The HTA file extracts multiple Visual Basic Script (VBS) files onto the target system.
4. Backdoor Installation: These VBS scripts facilitate the installation of various backdoors, including VBShower, PowerShower, VBCloud, and CloudAtlas.
Detailed Analysis of Backdoor Implants
– VBShower: Serving as the primary launcher, VBShower executes downloaded VB scripts of varying sizes, providing flexibility in payload deployment. It communicates with command-and-control (C2) servers to retrieve and execute additional scripts, enabling functions such as file exfiltration, system enumeration, and credential harvesting.
– PowerShower: This backdoor utilizes PowerShell scripts to execute commands and download further payloads, enhancing the group’s ability to adapt and expand its foothold within the compromised environment.
– VBCloud: Operating alongside a launcher script, VBCloud maintains encrypted communication with C2 servers through cloud-based infrastructure. It reads encrypted payload data from local files, applies RC4 decryption with embedded keys, and executes the decrypted content. Notably, the use of the PRGA algorithm within RC4 indicates a higher level of operational sophistication.
– CloudAtlas: As the final-stage backdoor, CloudAtlas communicates through WebDAV protocols to cloud services like OpenDrive, establishing encrypted command channels that blend with legitimate cloud traffic. It creates directories using HTTP MKCOL methods and retrieves payloads through PROPFIND requests, ensuring stealthy operations.
Persistence Mechanisms
To maintain access across system reboots, Cloud Atlas employs the Windows Task Scheduler:
– Scheduled Tasks Creation: The malware creates tasks with names mimicking legitimate system services, such as MicrosoftEdgeUpdateTask and MicrosoftVLCTaskMachine.
– Execution of VBS Scripts: These tasks execute VBS scripts at regular intervals, ensuring the malware remains operational even after system restarts.
– File Operations: The malware utilizes directories like %Public% and %LOCALAPPDATA%, establishing hidden infrastructure through renamed files and encrypted payloads.
Implications and Recommendations
The Cloud Atlas campaign underscores the critical need for organizations to:
– Update Software Regularly: Ensure all software, especially Microsoft Office, is updated to the latest versions to mitigate known vulnerabilities.
– Enhance Email Security: Implement advanced email filtering solutions to detect and block phishing attempts.
– Educate Employees: Conduct regular training sessions to raise awareness about phishing tactics and the importance of not opening suspicious attachments.
– Monitor Network Activity: Utilize intrusion detection systems to identify unusual network behavior indicative of malware activity.
By adopting these measures, organizations can bolster their defenses against sophisticated threat actors like Cloud Atlas and reduce the risk of data breaches and system compromises.
