The Cloud Atlas APT (Advanced Persistent Threat) group (also known as APT41) continues to threaten users in India, Russia, Belarus, Czech Republic, Bulgaria, Turkey, Belgium, and the United States. Their primary targets are religious organizations, as well as companies operating in the aerospace industry and government bodies. The group’s activities have been tracked since 2014, and they have introduced a fair number of cyber-threats during the five years of activity. One of the notable Backdoor Trojans that the group used to rely on frequently is PowerShower, a simple backdoor that enables the attacker to launch VBS and PowerShell components on the compromised host. However, it seems that this tool has been replaced by a revamped and improved version that goes by the name VBShower – PowerShower is still used, but the Cloud Atlas group seems to make use of its features in later stages of the attack.
Cloud Atlas’ Backdoor Covers Its Tracks before Taking Part in Harmful Behavior
Several things make VBShower stand out as a major threat that may be able to evade antivirus solutions. When the VBShower backdoor is deployed to a computer (usually via a corrupted macro script embedded in a Microsoft Office document), it will start by wiping out all temporary files in Microsoft Word’s directory in %APPDATA%. Then, it applies a basic change to the Windows Registry to grant itself persistence. After this, it follows up by connecting to the remote Command & Control server and waits for instructions – the Cloud Atlas group appears to send VBS modules to execute every hour.
Polymorphic Structure Assists VBShower’s Attempts to Evade AV Tools
Cybersecurity experts were surprised to see that the VBShower backdoor has a polymorphic structure – every sample of it is seen as a ‘unique’ file by antivirus software, and this might make it difficult to detect its harmful traits automatically. So far, VBShower has been used to by Clout Atlas to push two pieces of malware – the PowerShower backdoor, and an uncategorized backdoor Trojan.
As usual, the best way to protect computers from threats of this sort is to avoid downloading suspicious files, especially if they come from non-trustworthy sources. Naturally, you should also make use of the protection services offered by the top anti-malware products.