CloudAtlas APT – A New Campaign by Attackers Behind RedOctober
The attackers behind APT campaign called the RedOctober have resurfaced with a new campaign after the old on was exposed nearly two years ago and are using similar tools and spear phishing emails to target some of the same victims from before.
Researchers found that the attackers behind RedOctober campaign which emerged in January 2013 were targeting research organizations, government agencies and diplomats in some countries of Eastern Europe with malware that could be stealing data from FTP servers, mobile devices and desktops. A variety of tools at disposal of the attackers were used including unique victim IDs. The attackers also had exploits ready for quite a few vulnerabilities. Attacks by the RedOctober began with phishing emails that were highly targeted and some of which promoted a diplomatic car for sale.
Researchers at Kaspersky Lab on Wednesday have disclosed a new campaign CloudAtlas which just like RedOctober campaign uses spear phishing lure and even targeted some of the RedOctober’s victims. It is believed by the researchers, due to similar tactics and tools used on the same targets, that it may be the same group behind both campaigns.
CloudAtlas targeted same victims just like RedOctober. Not just the same organizations were targeted, but some of the same desktop machines. In last two years one of the targeted machines was attacked only twice, once by CloudAtlas recently and once by Red October in early 2013. Also same countries were hit by both campaigns: India, Belarus, Kazakhstan and Russia. Even similar malware tools are used by the two campaigns.
Kaspersky researchers said that both malware implants – RedOctober and CloudAtlas – rely on a very similar construct, including a loader and an external file which contains the final payload which is encrypted and then compressed. However there are some significant differences, the most important ones being the encryption algorithms used – AES in recent CloudAtlas campaign and RC4 in RedOctober.
Researchers have noted that compression algorithms in both campaigns were also interestingly similar. Both CloudAtlas and RedOctober share LZMA compression algorithm’s code. In RedOctober the ‘scheduler’ plugin is used to decompress C&C’s executable payloads, while in CloudAtlas the logs are compressed with it and the decrypted payload from the command-and-control servers are decompressed.
CloudAtlas campaign’s C2 infrastructure is rather unusual. Swedish provider CloudME is used for the attackers’ accounts in order to communicate with the machines which are compromised by them. CloudMe’s officials have said on Twitter that they are already working on deleting any C2 accounts of CloudAtlas. The company said that they are deleting all accounts permanently or at least the ones that they can identify as involved in the CloudAtlas campaign ‘business’.
Blue Coat’s researchers have looked at the new campaign as well, which was named by them as “Inception”, and revealed that the attackers using certain tools made by themselves in order to be able to compromise a different kinds of mobile platforms.
Waylon Grange and Snorre Fagerland from Blue Coat Lab have noted that the framework is evolving continuously. Researchers at the Blue Coat Lab have recently discovered that the attackers have also created malware for iOS and Android devices in order to gather sensitive information and private data from victims, also likely designed MMS phishing operation to target individuals’ mobile devices. Up to this day, Blue Coat has ascertained over 60 mobile providers such as O2, China Mobile, Vodafone, SingTel, T-Mobile and Orange, included in these preparations, however the real number might be higher, by far higher.
Various threats and hacking attacks to spy on people’s sensitive information inevitably are spreading across all devices and there is no secure OS anymore. A one way to secure yourself and your data is a strong encryption of it. NordVPN offers you exceptional encryption and features such as no logs policy, Tor over VPN, double VPN and many more, which can be viewed here, for a low price and additional holiday savings while festive season lasts!