# The Continuous Conundrum of Cloud Atlas **[domaintools.com/resources/blog/the-continuous-conundrum-of-cloud-atlas](https://www.domaintools.com/resources/blog/the-continuous-conundrum-of-cloud-atlas)** ## Background [In November 2020, in coordination with researchers from Black Lotus Labs at](https://www.lumen.com/en-us/security/black-lotus-labs.html) [Lumen,](https://www.lumen.com/en-us/home.html) [DomainTools researchers disclosed an ongoing campaign linked to an entity referred to in](https://www.domaintools.com/resources/blog/current-events-to-widespread-campaigns-pivoting-from-samples-to-identify) [industry reporting as “Cloud Atlas” or “Inception.” Cloud Atlas is an interesting entity as it is](https://attack.mitre.org/groups/G0100/) linked to attempted intrusions across multiple conflict zones and state ministries, yet has never been conclusively linked to any known adversary or even a general strategic interest. Since publication in late 2020, DomainTools researchers continued to track Cloud Atlasrelated activity through both infrastructure creation and identified malware samples. While the group’s general behaviors and characteristics remained relatively static, DomainTools researchers identified possible expansion in target areas beyond the group’s typical focus on European countries and parts of the former Soviet Union. ## Identifying New Infrastructure In DomainTools’ original analysis of Cloud Atlas activity, a clear pattern emerged for infrastructure creation used for staging second-stage payloads linked to the group’s malicious documents. Particularly, DomainTools observed the following: ----- Use of consistent domain naming themes such as including the terms office, “update,” or “ms,” with the latter likely designed to spoof Microsoft-related items. Reliance on several European-based hosting providers such as Hostkey and OVH. Various consistencies in registration details, name server use, and Mail Exchange (MX) DNS records. With the above observations, DomainTools identified 18 domains linked to Cloud Atlas at varying degrees of confidence, including seven items not previously linked to the group: **Hosting** **Provider** **Hosting** **Location** **Confi** **Domain** **Create** **Date** **IP Address** ms-template[.]com 19Feb2021 global-policy[.]org 19Feb2021 eurasiaresearch[.]org 18Feb2021 newmsoffice[.]com 15Feb2021 ms-update[.]org 8-Feb2021 wordupdate[.]org 21Dec2020 139.60.161[.]52 Hostkey US High N/A N/A N/A Mediu N/A N/A N/A Mediu 51.38.162[.]234 OVH FR High 5.39.221[.]48 Hostkey NL Mediu 146.0.77[.]90 Hostkey NL High 79.143.87[.]137 Hydra Communications IR High msofficeupdate[.]com 18Dec2020 msofficeupdate[.]com 10Nov2020 msofficeupdate[.]org 20Aug2020 msupdatecheck[.]com 10-Jul2020 185.25.51[.]24 Informacines sistemos ir technologijos LT High 46.30.188[.]236 Quadranet NL High 167.114.44[.]150 OVH CA Mediu ----- **Hosting** **Provider** **Hosting** **Location** **Confi** **Domain** **Create** **Date** **IP Address** newupdate[.]org 4-Jun2020 upgrade-office[.]org 7-Apr2020 upgrade-office[.]com 18Mar2020 update-office[.]com 3-Mar2020 officeupgrade[.]org 29Nov2019 template-new[.]com 27Aug2019 46.183.221[.]141 DataClub BZ Low 66.248.206[.]239 Hostkey NL High 158.69.30[.]205 OVH CA High 192.52.166[.]12 Quadranet US Mediu 66.70.218[.]38 OVH CA High 87.121.98[.]51 Tamatiya BG High 147.135.170[.]193 OVH FR High 198.24.134[.]13 Secured Servers LLC US High ms-check-newupdate[.]com 8-Jul2019 newofficetemplate[.]com 12Jun2019 In addition to the consistent use of “office” and “upgrade” themes, DomainTools identified two items that while linked in terms of registration and hosting characteristics included new naming conventions: ``` global-policy[.]org eurasia-research[.]org ``` Although noticeably different from the group’s typical naming themes, these items overlap with Cloud Atlas’ focus on political and international relations themes, explored in greater detail below. Mapped using DomainTools Iris visualization, the connections between these items and their overlap becomes clear even though the activity spans nearly two years. Note that in the case of some older domains, registration details have changed from when these items were actively used in Cloud Atlas-related activity as they have been reregistered, leading to three apparent “outliers” that under previous registration detail would be closely correlated. ----- With these items identified, DomainTools researchers searched for any documents or malware samples linked to the above domains and related infrastructure. ## Pivoting from Infrastructure to Samples From the list of domains identified in the previous section, DomainTools researchers identified multiple new samples associated with Cloud Atlas activity. The following list includes previously-identified samples as well as seven newly-identified malicious documents, along with associated C2 infrastructure: **MD5** **SHA256** 129ca14849f2b9e1171d241997318ab3 4011b1fff8c088fcb4ac4a05a5a156912162293bb 601c6f7640ea94ee4335299152be36d6 439032cbee22ae75cce7e2340ca7ffe521dce3e1 ----- **MD5** **SHA256** 1ca8b287ea91be2f3d9bb5ad6f27cf34 668236000a483b1735b7f8e244ae867804ee20fb 114cee0e385240c784521641ef5476e7 46c203cf15a4126f10b3933376215063fe385aba 0d5df6bb2b1eee5cc497d6510ba1bc8a 4eb0f1b0c04fc7e845e2ad7c3c84866f3a07586cc 89c625189174b28564b67b92c3a3e55c 94d467e169ed52ff4df5aa7321412a797293f24b0 64481a824b077854a870dcb8c56bc010 21ff553d752df93e10e45d0393eb097d52313467 ded1d4636a2ad6ade4665908f8702e65 07655ebfac8b7e5b2f1c2e661f6a7c16f3ac97df13 b6ab958a703e5977f1334e8c6ab86377 e83f79a6442bc7796d9b6e088d144f1c842f0a47 03382feadb1044abc5d469dccc1590c3 ceb060e6a169ba18e6b204ce9aafc7880fceee9a e744dfa3e039d375eda47c7103dff003 d8f13e6945b6a335382d14a00e35bfefadbdfb625 ab7a77f8a44cc70c6955c2bd099707fe 348b25023c45ed7b777fa6f6f635cb587b8ffbf100 a2f00c5cbd026331053ae1abad0dc85d 93279005aa4c8eddf01020b31bc2b401fe1366cb e963cc1caddfd957d9f7ec78de715de2 e5a4957d0078d0bb679cf3300e15b09795167fdc ----- **MD5** **SHA256** bab23837dfc20743338f8d95b3f1e3b9 7a1effd3cfeecdba57904417c6eeaa7a74d60a761 e00af9b6303460666ae1b4bdeb9503ba 7c495c21c628d37ba2298e4a789ff677867521be 22542d90a4c82005fe70f4b58a815db3 0b116f5b93046c3ce3588bb2453ddbb907d990c2 4ecf8aeed764d7b4da0c8d2abb618760 79c0097e9def5cc0f013ba64c0fd195dae57b04fe b2d173f1eaedf22f6309172882ea68da 68bde4ec00c62ffa51cef3664c5678f1f4985eb605 965e187680297f9e782bdaaca96495c7 1f117d5f398e599887ec92a3f8982751ceb83f2ad 3883e47d8626b12667eab3656a2eeed4 4ad0e64e8ebed1d15fac85cd7439bb345824f03d 9661464bae94391b23f0b01f563e27e7 c630aa8ebd1d989af197a80b4208a9fd981cf40fa c037ee4d91b62627665fa9df82c641ab 7ba76b2311736dbcd4f2817c40dae78f223366f24 2bf501cf34f19b9243528bd35e90df6b 89503c73eadc918bb6f05c023d5bf777fb2a0de1e In addition to the links to identified infrastructure, all of the documents feature the same [template string documented in DomainTools’ previous report:](https://www.domaintools.com/resources/blog/current-events-to-widespread-campaigns-pivoting-from-samples-to-identify) ----- As [previously documented by researchers from Kaspersky, the documents attempt to](https://securelist.com/recent-cloud-atlas-activity/92016/) retrieve and execute an external payload for follow-on execution via PowerShell or VBScript. While the majority of identified samples continue to leverage remote template retrieval via HTTPS, several samples also included Server Message Block (SMB) references direct to an IP address (discussed in greater detail below). Based on previous research, initial payloads from the document can either be malicious script objects to move the infection further along, or scripting objects designed to further validate victims and eliminate forensic artifacts. Complicating analysis, and as noted by other researchers on past activity linked to Cloud Atlas, second-stage links and resources are typically “gated.” Resources are limited to retrieval only from designated locations, likely via IP address allow-listing. As a result, DomainTools has not been able to retrieve any samples of follow-on activity from the above documents directly. ### Possible PowerShell Second-Stage Framework While researching the above items, DomainTools researchers, in conjunction with [researcher Florian Roth, identified a PowerShell script which included references to one of](https://twitter.com/cyb3rops) the domains linked to Cloud Atlas registration activity: ``` Name: rr3.ps1 MD5: 95885b0306642d71f295faa22b1831c0 SHA256: ca2a5c131af2ffb14bea01d458e149e8ad4a6e9c51af8ada6a1aec9d89a8cce4 ``` The script attempts to retrieve a resource from the following location: ----- ``` hXXp://ms check new update[.]com/deeplyset/Framonts/sheintsis/calycophorae/beshackled/parcleanup/cheiliti ``` Although superficially similar to HTTP-based communication from malicious documents, there are notable differences: Document template communication uses encrypted traffic via HTTPS, with domains associated with Sectigo SSL/TLS certificates, while the script communicates via unencrypted HTTP. While the PowerShell request parses the full URI with “/”, the HTTPS beacons from documents consist of a single URI parameter with individual “words” separated by numbers. The differences can be seen by looking at an example of a beacon from a malicious document: ``` hXXps://ms-update[.]org/tanked7inevitable3tricorn8suppuration9t ``` Although domain creation and registration artifacts show similarities between the domain used in the PowerShell script and domains used in malicious document files, differences in use make it difficult for DomainTools to link the identified script to the same cluster of activity (suspected Cloud Atlas) with high confidence. Cloud Atlas-related operations previously used scripting frameworks for a variety of [purposes as part of operations, as documented by researchers from Kaspersky and](https://usa.kaspersky.com/about/press-releases/2019_kaspersky-research-finds-cloud-atlas-apt-ugraded-with-polymorphic-malware) Palo Alto. In previous instances, Cloud Atlas-related scripts performed functions such as the following: Initial victim system reconnaissance and system survey. System data and file collection. Data exfiltration. Anti-analysis and anti-forensics operations. The script object retrieved in this case seems more limited, focusing primarily on creating persistence mechanisms and evading analysis while attempting to download an additional payload. Based on prior analysis of Cloud Atlas-related activity, this iterative nature is not unexpected although the precise persistence mechanisms appear new. For example, the following establishes persistence via a scheduled task: ----- The portion of the script provided below checks for previous retrieval of a follow-on payload and for the presence of a scheduled task (“Display renovation”), while also modifying system parameters via the Windows Registry to “hide” the taskeng.exe window through a hard-coded placement value off-screen. Since taskeng.exe will launch a window (even if momentarily), the above will “hide” this aspect of execution. The technique is superficially similar to one previously documented by researchers, and [deployed in Cloud Atlas-related activity.](https://unit42.paloaltonetworks.com/unit42-inception-attackers-target-europe-year-old-office-vulnerability/) Finally, the script contains a function to eliminate Temporary Internet Files artifacts associated with script execution: ----- Based on descriptions in previous work from Kaspersky and Palo Alto, the above appears more limited in functionality than earlier Cloud Atlas-linked script objects. However, without actual possession of such scripts for comparison, degree of similarity (or difference) is not possible to determine with the information currently available. Overall, the retrieved script features many overlaps with behaviors documented by other researchers and linked to Cloud Atlas in 2018 (Palo Alto) and 2019 (Kaspersky). While previous analysis indicates Cloud Atlas-related activity will frequently re-use or maintain capabilities for many years, the appearance of this script two years after public documentation, combined with inexact replication of previously-documented capabilities and the network communication items described previously, would argue for some caution in definitively linking this file to the Cloud Atlas cluster of behaviors. While the overlaps certainly exist, and associated network infrastructure ties in to documented, recent Cloud Atlas tendencies, DomainTools associates the above with this behavioral cluster with medium confidence at this time for the reasons noted above. ## Adversary Themes and Possible Motivations Moving away from the scripting object which is likely—although not definitively—linked to Cloud Atlas behaviors, the overall themes as well as probable geographic targeting of the observed malicious documents largely align with previously documented activity from this entity. Examining items discovered from December 2020 through February 2021, DomainTools identified the following “themes” or lures: [A document purportedly from the European Union Institute for Security Studies](https://www.iss.europa.eu/) (EUISS) on common defense questions for the European Union, likely appearing in France. A document from the “Ministry of Labor and Social Policy” of the unrecognized Ukrainian breakaway region known as the Luhansk People’s Republic, submitted from Ukraine. ----- An agenda for a training course on customs regulation from the Belarusian Trade and Industrial Chamber,” identified in Belarus. A news bulletin concerning Belarusian adoption of an International Atomic Energy Association (IAEA) action plan for the development of nuclear energy, first identified in Russia. A document concerning the creation of a common natural gas market within the [Eurasian Economic Union (EAEU), submitted from Uzbekistan.](http://www.eaeunion.org/?lang=en) [A listing of personnel allegedly belonging to the SPBT Almaz special anti-terrorist unit](https://en.wikipedia.org/wiki/Almaz_(Special_unit)) of the Belarussian security forces, first seen in Belarus. [The items continue targeting trends and lure themes observed in late 2020:](https://www.domaintools.com/resources/blog/current-events-to-widespread-campaigns-pivoting-from-samples-to-identify) Primary focus on countries formerly part of the Soviet Union with an emphasis on energy and political themes. ----- Particular focus on the unrecognized breakaway regions of Ukraine such as Luhansk as well as Donetsk. Additional targeting of Western European and NATO-related defense interests. Based on the observed activities, lures, and likely geographic targeting, DomainTools assesses with high confidence that the campaigns in question form part of unspecified espionage operations. While further speculation on particular attribution is possible, insufficient technical evidence exists that would allow DomainTools to attribute this activity to any distinct entity or country. ### Outlier Samples Adding pause to the question of attribution are two similarly-structured but outlier samples both in technical behavior and targeting. Whereas the majority of the malicious documents using the same template string spawn communication via HTTPS for follow-on payload retrieval, two items (one of which has several variants with identical functionality and document content) instead utilize communication to resources via SMB, such as the following: ``` \\185.70.184[.]32\soarnegroidmeanalkydapresowntipslushing[.]png \\139.60.161[.]74\appalcanedentrecentlyconvergenting[.]png ``` In addition to the difference in protocol, the naming convention (one long string of text without dividing numbers) and use of a file extension (PNG) are also different from other samples. DomainTools researchers were unsuccessful in attempting to retrieve the PNG objects referenced, making further analysis not possible at this time. While domain links are not possible on these items, referenced IP addresses do at least conform to hosting practices used by recent Cloud Atlas-linked activity: favoring specific providers largely located and operating in Europe. Technical observations aside, the “themes” of the documents were also different, reflecting the following topics: The [Pensacola shooting that was later linked by US authorities to Al Qaeda](https://www.nytimes.com/2020/05/18/us/politics/justice-department-al-qaeda-florida-naval-base-shooting.html) operations. A travel form linked to COVID-19 precautions for travelers to the United Kingdom. ----- While the COVID-19 form at least appears to originate in Europe, the Pensacola shooting document first appears in the Middle East. While researchers previously identified Cloud Atlas-linked activity in Central Asia, publicly available information contains no references to operations in the Gulf region, where this item appears to have originated. Overall, these documents retain the template string unifying all observed items since 2019, but otherwise appear to differ in behaviors, themes, and possible targeting. At this time, insufficient evidence exists to determine if these items represent a closely-linked, but operationally independent, group to Cloud Atlas with access to similar tools, or merely variations on common delivery vectors ultimately leading to the same payloads. ## Conclusion ----- DomainTools researchers continue to track activity of interest through sustained monitoring of known malicious infrastructure creation tendencies. Through this work, DomainTools researchers identified persistent activity linked to previous analysis of initial access activity associated with an entity referred to as Cloud Atlas. While some parts of this entity’s operations have shifted in the past six months of tracking them, overall this group continues to exhibit common tendencies in both infrastructure registration and malicious document design. By identifying these fundamental behaviors linked to a known threat actor, network defenders and threat intelligence analysts can keep pace with adversaries over time. While DomainTools anticipates eventual alterations in this group’s activity due to public scrutiny, the likelihood that all aspects of this group’s operations (network infrastructure, malicious document format, and possibly scripting behaviors) will change simultaneously is rather low. Through incorporation of appropriate monitoring and tracking strategies linked with this threat’s fundamental behaviors, defenders can ensure continuous coverage against this actor moving forward. -----