Cloud Atlas APT group goes polymorphic to dodge detection

News by Mark Mayne

Veteran threat actor group Cloud Atlas boosts favoured tactics, tools and procedures by introducing polymorphic components that hinder detection

The Cloud Atlas advanced persistent threat (APT) group, also known as Inception, has developed a powerful new evasion module that uses polymorphic techniques to remain unique, according to researchers. 

The polymorphic technique makes it difficult for defenders to detect the attack, as the unique code defeats signature-based detection systems most of the time, if not always. The group, linked to attacks in Russia, Romania, Turkey and Ukraine, uses spear-phishing to gain an initial foothold on a target network. A recent volley of attacks has targeted "international economics and aerospace industries", noted Kaspersky researchers in a blog post.

"Previously, Cloud Atlas dropped its ‘validator’ implant named ‘PowerShower’ directly, after exploiting the Microsoft Equation vulnerability (CVE-2017-11882) mixed with CVE-2018-0802. During recent months, we have seen a new infection chain, involving a polymorphic HTA, a new and polymorphic VBS implant aimed at executing PowerShower, and a Cloud Atlas second stage modular backdoor," explained the researchers. 

The new infection chain relies on executing a polymorphic HTA hosted on a remote server, which is used to drop three different files on the local system: a polymorphic backdoor named VBShower, which replaces PowerShower as a validator; a tiny launcher for VBShower; and a unique file computed by the HTA that contains contextual data such as the current user, domain, computer name and a list of active processes. 

"This ‘polymorphic’ infection chain allows the attacker to try to prevent IoC-based defence, as each code is unique by victim so it can’t be searched via file hash on the host," the researchers summarised. 

"Criminals continue to innovate and come up with new attacks such as polymorphic malware which makes it more difficult to detect and protect against," said Javvad Malik, security awareness advocate at KnowBe4.

"However, as with most malware - and this one is no exception - there needs to be an initial infection point which usually comes in the form of a phishing email. If companies invested in anti-phishing controls and providing appropriate security awareness training to its employees, then that would be a good defence against the majority of new and evolving attacks, even many APT's," he added.

Longevity is a key aim for such APT groups, BitDam CTO Maor Hizkiev told SC Media UK. 

"Groups like Cloud Atlas take numerous precautions, such as connecting to their servers from a public network, connecting through hacked routers and browsing via Tor to stay under the radar. This approach has enabled them to keep operating for five years (and counting)," said Hizkiev.

Organisations have to keep on top of their security updates and patches to defend against Cloud Atlas, he said. 

"The flow of OS and software version updates never ends, nor the security updates and patches. The organisations should establish procedures to regularly check and install these updates. They should also take advantage of available advanced threat protection (ATP) tools that stops both known and unknown threats delivered via different collaboration platforms. And, last but not least, they should test their security solutions on a consistent basis by utilising tools such as pentesting and breach and attack simulation."


In spite of the polymorphic nature of the threat, the Kaspersky team were able to find some common IoCs:

Some emails used by the attackers






VBShower registry persistence

  • Key : HKCU\Software\Microsoft\Windows\CurrentVersion\Run\[a-f0-9A-F]{8}

  • Value : wscript //B "%APPDATA%\[A-Za-z]{5}.vbs"

VBShower paths

  • %APPDATA%\[A-Za-z]{5}.vbs.dat

  • %APPDATA%\[A-Za-z]{5}.vbs

  • %APPDATA%\[A-Za-z]{5}.mds

VBShower C2s



Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews