FOCUS MODE
EXTRACT IOC
Threat Research

Cloud Atlas: sheet happens

PTsecurity-ESC
Cloud Atlas: sheet happens
The article discusses the ongoing activities of the cybercriminal group Cloud Atlas, which has been targeting organizations in Russia and Belarus since 2014. They utilize cloud services for command-and-control operations and have evolved their malware tools, including the PowerShower backdoor and VBShower. A recent phishing campaign aimed at government employees was investigated, revealing sophisticated techniques such as remote template injection and the use of Google Sheets as a C2 server. Affected: Yandex Disk, Google Sheets

Keypoints :

  • Cloud Atlas has targeted organizations in Russia and Belarus since 2014.
  • They utilize cloud services, specifically Yandex Disk, for command-and-control operations.
  • The group has developed various malware tools, including PowerShower and VBShower.
  • A phishing campaign targeting government employees was discovered in November 2024.
  • Malicious documents used in the campaign employed remote template injection techniques.
  • Google Sheets was used as a command-and-control server in this campaign.
  • The attackers refined their tactics and tools over time, increasing the sophistication of their malware.

MITRE Techniques :

  • T1583: Acquire Infrastructure – Cloud Atlas utilized the server officeconfirm.technoguides[.]org for storing remote templates.
  • T1566.001: Phishing: Spearphishing Attachment – Phishing emails with malicious content were sent from the internet.ru domain.
  • T1204.002: User Execution: Malicious File – Malicious DOC files were sent via phishing emails.
  • T1059.001: Command and Scripting Interpreter: PowerShell – PowerShell scripts were used to load and run components.
  • T1059.005: Command and Scripting Interpreter: Visual Basic – Visual Basic scripts were utilized to execute commands.
  • T1140: Deobfuscate/Decode Files or Information – Cloud Atlas decrypted payloads to execute malicious code.
  • T1574.002: Hijack Execution Flow: DLL Side-Loading – The DLL Side-Loading technique was used to execute malicious code.

Indicator of Compromise :

  • [domain] mehafon.com
  • [domain] officeconfirm.technoguides[.]org
  • [ip address] 79.143.87[.]233
  • [ip address] 188.127.235[.]216
  • [file name] CiscoSparkLauncher.dll
  • Check the article for all found IoCs.

Full Research: https://global.ptsecurity.com/analytics/pt-esc-threat-intelligence/cloud-atlas-sheet-happens

Tags: EMAIL, SIEM, BACKDOOR, VULNERABILITY, GOVERNMENT, PAYLOAD, CRYPTO, RUSSIA