{ "type": "bundle", "id": "bundle--5d52daab-6db4-45f1-9fdf-45fc950d210f", "objects": [ { "type": "identity", "spec_version": "2.1", "id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2019-08-13T15:49:50.000Z", "modified": "2019-08-13T15:49:50.000Z", "name": "CIRCL", "identity_class": "organization" }, { "type": "report", "spec_version": "2.1", "id": "report--5d52daab-6db4-45f1-9fdf-45fc950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2019-08-13T15:49:50.000Z", "modified": "2019-08-13T15:49:50.000Z", "name": "OSINT - Recent Cloud Atlas activity", "published": "2019-08-13T15:51:03Z", "object_refs": [ "observed-data--5d52dab9-91b4-4681-b2a4-4fa3950d210f", "url--5d52dab9-91b4-4681-b2a4-4fa3950d210f", "indicator--5d52dad3-1a4c-4e3c-ad5f-45cd950d210f", "indicator--5d52dad3-99f4-4d81-9017-4798950d210f", "indicator--5d52db40-b340-4f34-a367-4f79950d210f", "indicator--5d52db41-6994-4005-bb07-455c950d210f", "indicator--5d52db41-bcc0-407f-b3fb-4e09950d210f", "indicator--5d52db41-3318-4291-8533-40e4950d210f", "indicator--5d52db41-8ca4-430d-8723-4624950d210f", "x-misp-attribute--5d52dbca-c114-4216-9ae8-4c40950d210f" ], "labels": [ "Threat-Report", "misp:tool=\"MISP-STIX-Converter\"", "type:OSINT", "osint:lifetime=\"perpetual\"", "osint:certainty=\"50\"", "misp-galaxy:threat-actor=\"Cloud Atlas\"" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5d52dab9-91b4-4681-b2a4-4fa3950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2019-08-13T15:43:53.000Z", "modified": "2019-08-13T15:43:53.000Z", "first_observed": "2019-08-13T15:43:53Z", "last_observed": "2019-08-13T15:43:53Z", "number_observed": 1, "object_refs": [ "url--5d52dab9-91b4-4681-b2a4-4fa3950d210f" ], "labels": [ "misp:type=\"link\"", "misp:category=\"External analysis\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--5d52dab9-91b4-4681-b2a4-4fa3950d210f", "value": "https://securelist.com/recent-cloud-atlas-activity/92016/" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5d52dad3-1a4c-4e3c-ad5f-45cd950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2019-08-13T15:44:19.000Z", "modified": "2019-08-13T15:44:19.000Z", "description": "VBShower C2s", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '176.31.59.232']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2019-08-13T15:44:19Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"ip-dst\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5d52dad3-99f4-4d81-9017-4798950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2019-08-13T15:44:19.000Z", "modified": "2019-08-13T15:44:19.000Z", "description": "VBShower C2s", "pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '144.217.174.57']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2019-08-13T15:44:19Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Network activity" } ], "labels": [ "misp:type=\"ip-dst\"", "misp:category=\"Network activity\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5d52db40-b340-4f34-a367-4f79950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2019-08-13T15:46:33.000Z", "modified": "2019-08-13T15:46:33.000Z", "description": "Some emails used by the attackers", "pattern": "[email-message:from_ref.value = 'infocentre.gov@mail.ru']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2019-08-13T15:46:33Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"email-src\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5d52db41-6994-4005-bb07-455c950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2019-08-13T15:46:30.000Z", "modified": "2019-08-13T15:46:30.000Z", "description": "Some emails used by the attackers", "pattern": "[email-message:from_ref.value = 'middleeasteye@asia.com']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2019-08-13T15:46:30Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"email-src\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5d52db41-bcc0-407f-b3fb-4e09950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2019-08-13T15:46:19.000Z", "modified": "2019-08-13T15:46:19.000Z", "description": "Some emails used by the attackers", "pattern": "[email-message:from_ref.value = 'simbf2019@mail.ru']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2019-08-13T15:46:19Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"email-src\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5d52db41-3318-4291-8533-40e4950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2019-08-13T15:46:22.000Z", "modified": "2019-08-13T15:46:22.000Z", "description": "Some emails used by the attackers", "pattern": "[email-message:from_ref.value = 'world_overview@politician.com']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2019-08-13T15:46:22Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"email-src\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5d52db41-8ca4-430d-8723-4624950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2019-08-13T15:46:25.000Z", "modified": "2019-08-13T15:46:25.000Z", "description": "Some emails used by the attackers", "pattern": "[email-message:from_ref.value = 'infocentre.gov@bk.ru']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2019-08-13T15:46:25Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "Payload delivery" } ], "labels": [ "misp:type=\"email-src\"", "misp:category=\"Payload delivery\"", "misp:to_ids=\"True\"" ] }, { "type": "x-misp-attribute", "spec_version": "2.1", "id": "x-misp-attribute--5d52dbca-c114-4216-9ae8-4c40950d210f", "created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f", "created": "2019-08-13T15:48:26.000Z", "modified": "2019-08-13T15:48:26.000Z", "labels": [ "misp:type=\"text\"", "misp:category=\"External analysis\"" ], "x_misp_category": "External analysis", "x_misp_type": "text", "x_misp_value": "Also known as Inception, Cloud Atlas is an actor that has a long history of cyber-espionage operations targeting industries and governmental entities. We first reported Cloud Atlas in 2014 and we\u00e2\u20ac\u2122ve been following its activities ever since.\r\n\r\nFrom the beginning of 2019 until July, we have been able to identify different spear-phishing campaigns related to this threat actor mostly focused on Russia, Central Asia and regions of Ukraine with ongoing military conflicts.\r\n\r\nCountries targeted by Cloud Atlas recently\r\n\r\nCloud Atlas hasn\u00e2\u20ac\u2122t changed its TTPs (Tactic Tools and Procedures) since 2018 and is still relying on its effective existing tactics and malware in order to compromise high value targets.\r\n\r\nThe Windows branch of the Cloud Atlas intrusion set still uses spear-phishing emails to target high profile victims. These emails are crafted with Office documents that use malicious remote templates \u00e2\u20ac\u201c whitelisted per victims \u00e2\u20ac\u201c hosted on remote servers. We described one of the techniques used by Cloud Atlas in 2017 and our colleagues at Palo Alto Networks also wrote about it in November 2018.\r\n\r\nPreviously, Cloud Atlas dropped its \u00e2\u20ac\u0153validator\u00e2\u20ac\u009d implant named \u00e2\u20ac\u0153PowerShower\u00e2\u20ac\u009d directly, after exploiting the Microsoft Equation vulnerability (CVE-2017-11882) mixed with CVE-2018-0802. During recent months, we have seen a new infection chain, involving a polymorphic HTA, a new and polymorphic VBS implant aimed at executing PowerShower, and the Cloud Atlas second stage modular backdoor that we disclosed five years ago in our first blogpost about them and which remains unchanged." }, { "type": "marking-definition", "spec_version": "2.1", "id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9", "created": "2017-01-20T00:00:00.000Z", "definition_type": "tlp", "name": "TLP:WHITE", "definition": { "tlp": "white" } } ] }