According to the Russian cybersecurity company F.A.C.C.T. (a spinout of the Singapore-based Group-IB), Russian agro-industrial and state-owned research organizations have been targeted in a phishing scheme presenting the following characteristics:
Leveraging popular Russian email providers for registration of phishing email addresses, including yandex[.]ru and mail[.]ru.
Malicious attachments included rich text format (RTF) files presenting lure themes consistent with the military recruitment and the Special Volunteer Organization involved in supplying manpower for the Russian invasion of Ukraine.
The phishing emails present exploits downloading and executing a malicious HTML application (HTA). The latter is responsible for enabling exploitation of CVE-2017-11822, an old Microsoft Office vulnerability which enables a potential malicious attacker to download arbitrary files to the compromised machine without further user interaction. The same vulnerability has been recently reported in connection to distribution of the Agent Tesla trojan
The HTA downloads from a remote server malicious visual basic scripts.
The attack enables typical espionage-like capabilities including keylogging and data exfiltration based on prior reports concerning Cloud Atlas.
Cloud Atlas has been active since 2014 and is an advanced persistent threat (APT) consistent with a polymorphous malware that has been historically employed to target government and financial organizations in Russia, Belarus, Turkey, Azerbaijan and Slovenia. However, there have been reports of events across North Africa, Middle East, Asia and the United States as well. Cloud Atlas is generally presented as a non-state-sponsored APT. However, the modus operandi and the victimology may be linked to an unknown government.