Type: Believed Nation State

Status: Active

Other Names:  Mimics Red October; believed either false flag or evolution

Active Since/Discovered: 2014/ August 2014

Targets: Russia, Kazakhstan, Belarus, India, The Czech Republic

Target Sectors: Diplomatic organizations/embassies and Government entities

Malware:

• • Cloud Atlas/ Trojan.Win32.CloudAtlas.gen
    • Uncommon file names
    • the Microsoft Office exploit didn’t directly write a Windows PE backdoor on disk. Instead, it writes an encrypted Visual Basic Script and runs it
    • Uniquely named Payloads:
      • steinheimman
      • papersaving
      • previliges
      • fundamentive
      • bicorporate
      • miditiming
      • damnatorily
      • munnopsis
      • arzner
      • redtailed
      • roodgoose
      • acholias
      • salefians
      • wartworts
      • frequencyuse
      • nonmagyar
      • shebir
      • getgoing
    • All samples communicate via HTTPS and WebDav with the same server “cloudme.com”, a cloud services provider
      • Each sample communicates with a different account which is downloaded by the implant, decrypted and interpreted
      • the malware uploads the replies back to the server via the same mechanism
    • data is compressed with LZMA and encrypted with AES
      • Key is stored in body of malware
        

Preferred Attack Vector:  Social Engineering and Exploits

IoCs:

• CVE-2012-0158
• Spear-phishing lures focusing on car sales are similar to Red October
• Targeted Windows, Android, iOS, Linux
• Cyberespionage and Data Theft
• Microsoft Office exploit writes an encrypted Visual Basic Script and runs it instead of writing a Windows PE backdoor to disk

Unique:

• May be Rebirth of Red October campaign
  • some shared victims
  • Similar malware implant construction
• All malware samples communicate with accounts from a cloud service provider as C2