{"id":15041,"date":"2014-12-15T19:19:37","date_gmt":"2014-12-15T19:19:37","guid":{"rendered":"http:\/\/kasperskydaily.com\/b2b\/?p=3428"},"modified":"2020-02-27T03:52:05","modified_gmt":"2020-02-26T16:52:05","slug":"partly-cloudy-october-a-spiritual-successor-to-redoctober-apt-revealed","status":"publish","type":"post","link":"https:\/\/www.kaspersky.com.au\/blog\/partly-cloudy-october-a-spiritual-successor-to-redoctober-apt-revealed\/15041\/","title":{"rendered":"Partly Cloudy October: a spiritual successor to RedOctober APT revealed"},"content":{"rendered":"<p>Kaspersky Lab\u2019s Global Research &amp; Analysis Team has just disclosed details of months long monitoring of a new APT codenamed \u201c<a href=\"https:\/\/securelist.com\/blog\/research\/68083\/cloud-atlas-redoctober-apt-is-back-in-style\/\" target=\"_blank\" rel=\"noopener\">Cloud Atlas<\/a>\u201d after the famous film by Vachovsky-Tykwer. This complex cyber-espionage operation is the \u201cspiritual successor\u201d <a href=\"https:\/\/securelist.com\/analysis\/publications\/36740\/red-october-diplomatic-cyber-attacks-investigation\/#8\" target=\"_blank\" rel=\"noopener\">to the RedOctober campaign<\/a>, and most likely has the same people behind it.<\/p>\n<p style=\"text-align: center;\">\n<\/p><p>The RedOctober operation was hastily wrapped-up just after Kaspersky Lab\u2019s publication in January 2013. Considering its global scope and the large investments behind the campaign, there was no reason to expect that RedOctober would just go away completely.<\/p>\n<p>Cloud Atlas was first detected in August 2014. Some of Kaspersky Lab\u2019s product users observed targeted attacks with a variation of <a href=\"https:\/\/technet.microsoft.com\/library\/security\/ms12-027\" target=\"_blank\" rel=\"noopener nofollow\">CVE-2012-0158<\/a> and an unusual set of malware.<\/p>\n<blockquote class=\"twitter-pullquote\"><p>Partly Cloudy October: a spiritual successor to RedOctober #APT revealed<\/p><a href=\"https:\/\/twitter.com\/share?url=https%3A%2F%2Fkas.pr%2F4BCY&amp;text=Partly+Cloudy+October%3A+a+spiritual+successor+to+RedOctober+%23APT+revealed\" class=\"btn btn-twhite\" data-lang=\"en\" data-count=\"0\" target=\"_blank\" rel=\"noopener nofollow\">Tweet<\/a><\/blockquote>\n<p>The aforementioned vulnerability was present in Windows Common Controls and allowed remote code execution. It affected a large number of Microsoft products, namely 32-bit versions of Microsoft Office 2003, 2007 and 2010, Microsoft SQL Server 2000, 2005, 2008 and 2008 R2, along with Fox Pro, Visal Basic and some other Microsoft server software. This is quite a large attack surface. However, Cloud Atlas\u2019 initial attack vector was spearphishing Microsoft Word docs (with an old .doc filename extension). Most of the docs listed by GReAT have Russian names. However, one of them \u2013 the one that raised suspicions Cloud Atlas may be related to RedOctober \u2013 has the name \u201cCar for sale.doc\u201d. RedOctober used \u201cDiplomatic Car for Sale.doc\u201d.<\/p>\n<p>Further analysis supported the theory: there are multiple technical similarities, showing that (most likely) the same people who created malware tools for RedOctober did so for Cloud Atlas as well.<\/p>\n<p style=\"text-align: center;\"><a href=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/102\/2014\/12\/06020223\/wide-21-1.png\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-3430\" src=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/102\/2014\/12\/06020223\/wide-21-1.png\" alt=\"wide-2\" width=\"950\" height=\"600\"><\/a><\/p>\n<p><strong>Similarities:<\/strong><\/p>\n<ul>\n<li>Both Cloud Atlas and RedOctober malware implants rely on a similar construct, with a loader and the final payload that is stored, encrypted, and compressed in an external file. However, there are different encryption algorithms used.<\/li>\n<li>Both malicious programs share the code for LZMA compression algorithm. In Cloud Atlas it is used to compress the logs and to decompress the decrypted payload from the C&amp;C servers, while in RedOctober the \u201cscheduler\u201d plugin uses it to decompress executable payloads from the C&amp;C. The implementation of the algorithm is identical in both malicious modules, but the way it is invoked is a bit different.<\/li>\n<li>Binaries for both RedOctober and Cloud Atlas seem to be compiled using the same version of the Microsoft Visual Studio up to the build number version and using similar project configurations.<\/li>\n<li>There is a distinct \u201ctarget overlapping\u201d between RedOctober and Cloud Atlas, with most of the targets for both located in Russia and Kazakhstan.<\/li>\n<\/ul>\n<p>The most unique and distinct feature of the Cloud Atlas APT is the fact that the exploit does not write the backdoor on the disk directly. Instead, it places an encrypted Visual Basic script that drops a polymorphic loader and an encrypted payload, which has a different name every time. The registry key in HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun is also added in order to ensure persistence.<\/p>\n<p>Cloud Atlas is indeed a continuation of RedOctober \u2013 a large-scale cyber espionage operation targeting the same entities \u2013 military, diplomatic, etc.<\/p>\n<blockquote class=\"twitter-pullquote\"><p>#CloudAtlas targets the same entities as #RedOctober<\/p><a href=\"https:\/\/twitter.com\/share?url=https%3A%2F%2Fkas.pr%2F4BCY&amp;text=%23CloudAtlas+targets+the+same+entities+as+%23RedOctober\" class=\"btn btn-twhite\" data-lang=\"en\" data-count=\"0\" target=\"_blank\" rel=\"noopener nofollow\">Tweet<\/a><\/blockquote>\n<p>This APT campaign may pose a threat for businesses closely associated with the targeted entities (they may be used as a source of the additional \u201cleverage\u201d data in order to conduct spearphishing attacks in the future). The more distressing factor here is that APT methods and techniques soon won\u2019t be limited to <a href=\"https:\/\/business.kaspersky.com\/cyber-espionage-the-scale-and-collateral-damage\/1534\" target=\"_blank\" rel=\"noopener nofollow\">cyber espionage (of an apparently political nature)<\/a>: Kaspersky Lab\u2019s GReAT expects <a href=\"https:\/\/business.kaspersky.com\/the-crystal-ball-of-facts-2015-apt-predictions\/3417\" target=\"_blank\" rel=\"noopener nofollow\">at least some degree of \u201cmerger\u201d between APT and more \u201ccommon\u201d cybercrimes in the near future<\/a>. We recommend that IT workers pay close attention to APTs, even if their employers have no connections with the industries targeted by APTs today.<\/p>\n<p>A detailed technical report is available <a href=\"https:\/\/securelist.com\/blog\/research\/68083\/cloud-atlas-redoctober-apt-is-back-in-style\/\" target=\"_blank\" rel=\"noopener\">here<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>The RedOctober operation was hastily wrapped-up just after a Kaspersky Lab&#8217;s publication in January 2013, but it was expected to return. And it did.<\/p>\n","protected":false},"author":209,"featured_media":15818,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1999,2994],"tags":[2258,2259,282,2260],"class_list":{"0":"post-15041","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-business","8":"category-smb","9":"tag-apts","10":"tag-cloud-atlas","11":"tag-cybersecurity","12":"tag-redoctober"},"hreflang":[{"hreflang":"en-au","url":"https:\/\/www.kaspersky.com.au\/blog\/partly-cloudy-october-a-spiritual-successor-to-redoctober-apt-revealed\/15041\/"},{"hreflang":"x-default","url":"https:\/\/www.kaspersky.com\/blog\/partly-cloudy-october-a-spiritual-successor-to-redoctober-apt-revealed\/15041\/"},{"hreflang":"en-za","url":"https:\/\/www.kaspersky.co.za\/blog\/partly-cloudy-october-a-spiritual-successor-to-redoctober-apt-revealed\/15041\/"}],"acf":[],"banners":"","maintag":{"url":"https:\/\/www.kaspersky.com.au\/blog\/tag\/apts\/","name":"APTs"},"_links":{"self":[{"href":"https:\/\/www.kaspersky.com.au\/blog\/wp-json\/wp\/v2\/posts\/15041","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.kaspersky.com.au\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.kaspersky.com.au\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com.au\/blog\/wp-json\/wp\/v2\/users\/209"}],"replies":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com.au\/blog\/wp-json\/wp\/v2\/comments?post=15041"}],"version-history":[{"count":3,"href":"https:\/\/www.kaspersky.com.au\/blog\/wp-json\/wp\/v2\/posts\/15041\/revisions"}],"predecessor-version":[{"id":26600,"href":"https:\/\/www.kaspersky.com.au\/blog\/wp-json\/wp\/v2\/posts\/15041\/revisions\/26600"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com.au\/blog\/wp-json\/wp\/v2\/media\/15818"}],"wp:attachment":[{"href":"https:\/\/www.kaspersky.com.au\/blog\/wp-json\/wp\/v2\/media?parent=15041"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.kaspersky.com.au\/blog\/wp-json\/wp\/v2\/categories?post=15041"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.kaspersky.com.au\/blog\/wp-json\/wp\/v2\/tags?post=15041"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}