Remember RedOctober, the complex cyber-espionage operation targeting diplomatic embassies worldwide? After being outed in January 2013, the operation was promptly shut down and the network of C&Cs was dismantled. But now, the advanced persistent threat (APT) group appears to be back.
“As usually happens with these big operations, considering the huge investment and number of resources behind it, they don't just go away forever,” said Kaspersky Lab, in an analysis. “Normally, the group goes underground for a few months, redesigns the tools and the malware and resume operations.”
Such is the suspected case when it comes to Cloud Atlas, which Kaspersky uncovered in August 2014. The initiative is a series of targeted attacks using a variation of CVE-2012-0158, and what Kaspersky said is an unusual set of tactics that are “not very common in the APT world.”
Perhaps the most unusual fact was that the Microsoft Office exploit doesn't directly write a Windows PE backdoor on disk. Instead, it writes an encrypted Visual Basic Script and runs it. The loader inside appears to be polymorphic—i.e., it’s different every time. Also, the payload is always encrypted with a unique key, making it impossible to decrypt unless the DLL is available.
The malware meanwhile uses CloudMe, which is owned and operated by Sweden-based CloudMe AB, to communicate via HTTPS and WebDav. Each malware set observed so far communicates with a different CloudMe account: The attackers upload data to the account, which is downloaded by the malware, decrypted and interpreted. In turn, the malware uploads the replies back to the server via the same mechanism.
“We do not believe that CloudMe is in any way related to the Cloud Atlas group—the attackers simply create free accounts on this provider and abuse them for command-and-control,” Kaspersky said.
Interestingly, CloudMe is also being used by the just-discovered Inception APT for C&C. But prior to this, the only other group using cloud was the ItaDuke group, which connected to accounts on the cloud provider mydrive.ch.
As far as ties to RedOctober, the greatest evidence for this lies in the targeting information. CloudAtlas infections are for now concentrated in Russia and former Iron Curtain countries, and India—just like RedOctober.
“We see an obvious overlap of targets between the two, with subtle differences which closely account for the geopolitical changes in the region that happened during the last two years,” Kaspersky researchers said. And, some of the spear-phishing documents between Cloud Atlas and RedOctober seem to exploit the same theme and were used to target the same entity at different times.
“In at least one case, the victim's computer was attacked only twice in the last two years, with only two malicious programs—RedOctober and Cloud Atlas,” researchers said.
Both Cloud Atlas and RedOctober malware implants rely on a similar construct, with a loader and the final payload that is stored encrypted and compressed in an external file. And, the usage of the compression algorithms in Cloud Altas and RedOctober is similar; the implementation of the algorithm is identical in both, but the way it is invoked is a bit different, with additional input sanity checks added to the CloudAtlas version. And finally, both malware families use a similar configuration of the build system used to compile the binaries.
Finally, perhaps the strongest connection comes from targeting. Based on observations from KSN, some of the victims of RedOctober are also being targeted by CloudAtlas.
“These and other details make us believe that CloudAtlas represents a rebirth of the RedOctober attacks,” Kaspersky said.