Cloudatlas: an advanced persistent threat spreading in the wild

December 24, 2014

The Dell SonicWall Threats Research team observed reports of an advanced persistent threat Trojan named GAV: Cloudatlas.AAC actively spreading in the wild. Cloud Atlas it's a highly complex malware that targeted high level executives from the oil and financial industries as well as government organizations.

The Malware tries to resides in the registry as a DLL in the computer's registry. This mechanism could be used by malicious Visual Basic script that people could download from email attachments as part of received documents or exploit kits such as crafted RTF Stack-based buffer overflow in Microsoft Office XP CVE-2010-3333 and CVE-2012-0158.

Once the target system is compromised, the attacker would control the malware through their free accounts on the Swiss cloud storage company, CloudMe.

Infection Cycle:

Md5: 19ad782b0c58037b60351780b0f43e43 [crafted RTF file]

Md5: D007616DD3B2D52C30C0EBB0937E21B4 [DLL file]

The Trojan adds the following files to the system:

  • %windir%ctfmonrn.dll [DLL file]
  • %Userprofile%Local SettingsTempHRTODiK.vbs [Visual Basic script]
  • %Userprofile%Local Settings Tempdocument.doc [Document file ]
  • C:WINDOWSmiditiming [Encrypted file]

The Trojan adds the following key to the Windows registry to ensure persistence upon reboot:

  • HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun
  • regsvr32 "C:WINDOWSctfmonrn.dll" /s /n /i:"i"

The Malware uses RTF Microsoft Office exploit (CVE-2012-0158) which is contains a Visual Basic script with it. The Script didn't write a PE backdoor on the disk directly. Instead, its drops and execute a Visual Basic script, which in turn dropped the loader and the payload onto the infected system. Each payload is encrypted with a unique key, making it impossible for it to be decrypted without a corresponding dynamic link library file.

Here is a sample of the Crafted RTF File:

When the VBSript is run it drops two files to disk, here is how malware works on target machine:

The malware executes the encoded VBScript to create an auto startup registry key on the target machine:

  • Regsvr32 "C:WINDOWSctfmonrn.dll" /s /n /i:"i"

The regsvr32 is responsible for all malware components on the infected system, here is the VBScript Sample:

Also here is the DLL dropper sample:

Malware Traffic

Cloud Atlas has communication over HTTPS and WebDav works with Cloudme.com server.

Cloudme it's a cloud services provider which offers free and paid Cloud file storage. The attackers created their accounts on the cloud and only using it for storing their files.

There are some files containing system information and other data in the free CloudMe accounts registered by the attackers. Here are some examples of URL Traffic used by malware on Following:

As you can see the Traffic seems to very normal traffic by system services.

SonicWALL Gateway AntiVirus provides protection against this threat via the following signatures:

  • GAV: Cloudatlas.AAC