The Dell SonicWall Threats Research team observed reports of an advanced persistent threat Trojan named GAV: Cloudatlas.AAC actively spreading in the wild. Cloud Atlas it’s a highly complex malware that targeted high level executives from the oil and financial industries as well as government organizations.

The Malware tries to resides in the registry as a DLL in the computer’s registry. This mechanism could be used by malicious Visual Basic script that people could download from email attachments as part of received documents or exploit kits such as crafted RTF Stack-based buffer overflow in Microsoft Office XP CVE-2010-3333 and CVE-2012-0158.

Once the target system is compromised, the attacker would control the malware through their free accounts on the Swiss cloud storage company, CloudMe.

Infection Cycle:

Md5: 19ad782b0c58037b60351780b0f43e43 [crafted RTF file]

Md5: D007616DD3B2D52C30C0EBB0937E21B4 [DLL file]

The Trojan adds the following files to the system:

• %windir%ctfmonrn.dll [DLL file]

• %Userprofile%Local SettingsTempHRTODiK.vbs [Visual Basic script]

• %Userprofile%Local Settings Tempdocument.doc [Document file ]

• C:WINDOWSmiditiming [Encrypted file]

The Trojan adds the following key to the Windows registry to ensure persistence upon reboot:

• HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun

• regsvr32 “C:WINDOWSctfmonrn.dll” /s /n /i:”i”

The Malware uses RTF Microsoft Office exploit (CVE-2012-0158) which is contains a Visual Basic script with it. The Script didn’t write a PE backdoor on the disk directly. Instead, its drops and execute a Visual Basic script, which in turn dropped the loader and the payload onto the infected system. Each payload is encrypted with a unique key, making it impossible for it to be decrypted without a corresponding dynamic link library file.

Here is a sample of the Crafted RTF File:

When the VBSript is run it drops two files to disk, here is how malware works on target machine:

The malware executes the encoded VBScript to create an auto startup registry key on the target machine:

• Regsvr32 “C:WINDOWSctfmonrn.dll” /s /n /i:”i”

The regsvr32 is responsible for all malware components on the infected system, here is the VBScript Sample:

Also here is the DLL dropper sample:

Malware Traffic

Cloud Atlas has communication over HTTPS and WebDav works with Cloudme.com server.

Cloudme it’s a cloud services provider which offers free and paid Cloud file storage. The attackers created their accounts on the cloud and only using it for storing their files.

There are some files containing system information and other data in the free CloudMe accounts registered by the attackers. Here are some examples of URL Traffic used by malware on Following:

As you can see the Traffic seems to very normal traffic by system services.

SonicWALL Gateway AntiVirus provides protection against this threat via the following signatures:

• GAV: Cloudatlas.AAC

The Dell Sonicwall Threats research team received reports of malware that has targeted international diplomatic service agencies. The malware named Red October is part of a large scale cyber-espionage network that has been in existence since 2007. It is designed to steal sensitive information from infected systems. The malware uses GAV: CVE-2012-0158 (Exploit) and GAV: CVE-2010-3333 (Exploit) that exploit known vulnerabilities in unpatched versions of Microsoft Word and Excel. There have also been reports of the malware using Java vulnerabilities: GAV: CVE-2011-3544 (Exploit). It is reported that the Trojan is spread via email and uses infected Word and Excel files.

Infection cycle:

The file containing the exploit may be a legitimate but infected Word or Excel file. In this case it was an Excel file:

After the exploit has run successfully it will cause Excel to display a spreadsheet containing fake corporate data in order to thwart suspicion:

The Trojan adds the following keys to the windows registry:

• HKEY_CURRENT_USERSoftwareMicrosoftWindows NTCurrentVersionWinlogon Userinit “%WINDIR%system32userinit.exe,%PROGRAMFILES%Windows NTsvchost.exe”
• HKEY_LOCAL_MACHINESOFTWAREClassesCLSID{00000000-6948-B838-A1A0-B0132CCF0BA1} @ “D74C3FB1”
• HKEY_LOCAL_MACHINESOFTWAREClassesCLSID{00000000-7657-A727-BEBF-AF0C33D014BE} @ “C85320AE”

The Trojan adds the following files to the filesystem:

• %PROGRAMFILES%Windows NTlhafd.gcp
• %PROGRAMFILES%Windows NTsvchost.exe [Detected as GAV: Rocra.A (Trojan)]
• %TEMP%msc.bat
• %TEMP%Dsc.tmp [Detected as GAV: Kolab.ABVR (Worm)]

msc.bat contains the following post-infection clean up code:

chcp 1251
:Repeat
attrib -a -s -h -r "%TEMP%Dcs.tmp"
del "%TEMP%Dcs.tmp"
if exist "%TEMP%Dcs.tmp" goto Repeat
del "%TEMP%msc.bat"

The chcp command suggests that the malware is Russian in origin. 1251 is the ANSI codepage for Cyrillic.

The Trojan was observed querying microsoft.com to verify internet connectivity:

The Trojan was observed using the CreateEvent API in order to be alerted of various system events:

The Trojan steals information from the following web browsers:

• Google Chrome
• Mozilla Firefox
• Internet Explorer
• Opera

We observed the Trojan reading data from files written by Firefox that we had installed on the system:

It is widely reported that the Trojan contains the ability to update and add modules from a remote Command & Control server.

SonicWALL Gateway AntiVirus provides protection against this threat via the following signatures:

• GAV: Exploit.CVE-2012-0158 (Exploit)
• GAV: Exploit.CVE-2010-3333 (Exploit)
• GAV: Exploit.CVE-2011-3544 (Exploit)
• GAV: Kolab.ABVR (Worm)
• GAV: Rocra.A (Trojan)