# Cloud Atlas Maldoc **inquest.net/blog/2022/03/30/cloud-atlas-maldoc** For several weeks, eyes around the world have been set on the war in Ukraine and events that have transpired as a result. The economic sanctions affecting Russian banks and enterprises are some of many consequences that persist as main talking points across international media outlets. This presented yet another opportunity for attackers to leverage this subject for targeted attacks ----- and/or phishing campaigns. We uncovered a very interesting document that was observed impersonating the United States Securities and Exchange Commission. It is our assumption with a high degree of probability that an attacker called Cloud Atlas is responsible for this malicious campaign. File Type Microsoft Excel 2007 Sha-256 [8df0d05c36a64b13869343917076ba8f65604ea1ecde50292f361ad4e34b4b09](https://labs.inquest.net/dfi/sha256/8df0d05c36a64b13869343917076ba8f65604ea1ecde50292f361ad4e34b4b09) The document appears to be a request to obtain data from Russian clients. Image 1. Visual lure. On the date observed, the document had very low detection rates. Contained in the graph below, you can see how document detection changed day by day. ----- Image 2. VT Detection Graph Let's dive into the analysis of this document to examine the payload as well as what techniques are in use. Image 3. Disassembled P-code The purpose of the first stage of the attack, as is often the case, is to retrieve and execute the payload of the next stage. In the image above we find a URL address which points to a ZIP file containing compressed suspicious data to be executed on the system. 2 Stage > hxxps://cvg[.]org/wp-content/uploads/2020/document.zip FileType MSI installer package file Sha 256 ff06cffedc00b97f82005c9768951d0e8c18c63ba36e584aef3c7c9e845e62e0 This sample also shows a low rate of detection after uploading to VirusTotal. ----- Image 4. VirusTotal Graph ff06cffedc00b97f82005c9768951d0e8c18c63ba36e584aef3c7c9e845e62e0 After downloading this installation package, the program starts installing the executable components. The installation file contains a few legitimate files along with one malicious library (main) that is installed in the following directory. %LOCALAPPDATA%\EdgeTools\edgecef.dll Image 5. Contents of the installation package. We believe that this is one of the malicious tools of the Cloud Atlas APT group. It beacons out to a remote server, waiting for further commands. Initially, this sample collects information about the system it is running on, which is then exfiltrated to the remote server. This attacker has been active for many years, identified in 2014, the group is known for using documents to infect government organizations such as embassies or organizations affiliated with the aerospace industry. Indicators: Type Indicator Document 8df0d05c36a64b13869343917076ba8f65604ea1ecde50292f361ad4e34b4b09 MSI ff06cffedc00b97f82005c9768951d0e8c18c63ba36e584aef3c7c9e845e62e0 ----- x86 Dll 4eb85a5532b98cbc4a6db1697cf46b9e2b7e28e89d6bbfc137b36c0736cd80e2 C2 driverwindowsupdate[.]at 212.193.48.150 C2 windowsdriverupdate[.]at 212.193.48.150 . Tags [labs in-the-wild threat-hunting](https://inquest.net/taxonomy/term/47) ## Get The InQuest Insider [Find us on Twitter for frequent updates, follow our Blog for bi-weekly technical write-](https://twitter.com/inquest) ups, or subscribe here to receive our monthly newsletter, The InQuest Insider. We curate and provide you with the latest news stories, field notes about innovative malware, novel research / analysis / threat hunting tools, security tips and more. -----