Attacks with the new VBCloud malware have been deployed by Russian state-backed threat operation Cloud Atlas, also known as Clean Ursa, Oxygen, Inception, and Red October, to facilitate data theft against dozens of users, most of whom are in Russia, reports The Hacker News.
Cloud Atlas distributed phishing emails with a Microsoft Office document that downloads a malicious RTF template, which then leverages an Equation Editor vulnerability, tracked as CVE-2018-0802, to execute an HTML Application file that establishes launcher and cleaner files for the VBShower backdoor, an analysis from Kaspersky revealed.
Aside from enabling additional Visual Basic Script payload retrieval, VBShower also allowed the deployment of PowerShower, which acts as a downloader for up to seven PowerShell payloads, and VBCloud, which allows gathering of disk information, system metadata, documents of various formats, and Telegram-related files.
"PowerShower probes the local network and facilitates further infiltration, while VBCloud collects information about the system and steals files. The infection chain consists of several stages and ultimately aims to steal data from victims' devices," said Kaspersky researcher Oleg Kupreev.
