background imagen blue and red lines

Background

In November 2020, in coordination with researchers from Black Lotus Labs at Lumen, DomainTools researchers disclosed an ongoing campaign linked to an entity referred to in industry reporting as “Cloud Atlas” or “Inception.” Cloud Atlas is an interesting entity as it is linked to attempted intrusions across multiple conflict zones and state ministries, yet has never been conclusively linked to any known adversary or even a general strategic interest.

Since publication in late 2020, DomainTools researchers continued to track Cloud Atlas-related activity through both infrastructure creation and identified malware samples. While the group’s general behaviors and characteristics remained relatively static, DomainTools researchers identified possible expansion in target areas beyond the group’s typical focus on European countries and parts of the former Soviet Union.

Identifying New Infrastructure

In DomainTools’ original analysis of Cloud Atlas activity, a clear pattern emerged for infrastructure creation used for staging second-stage payloads linked to the group’s malicious documents. Particularly, DomainTools observed the following:

  • Use of consistent domain naming “themes” such as including the terms “office,” “update,” or “ms,” with the latter likely designed to spoof Microsoft-related items.
  • Reliance on several European-based hosting providers such as Hostkey and OVH.
  • Various consistencies in registration details, name server use, and Mail Exchange (MX) DNS records.

With the above observations, DomainTools identified 18 domains linked to Cloud Atlas at varying degrees of confidence, including seven items not previously linked to the group:

DomainCreate DateIP AddressHosting ProviderHosting LocationConfidence
ms-template[.]com19-Feb-2021139.60.161[.]52HostkeyUSHigh
global-policy[.]org19-Feb-2021N/AN/AN/AMedium
eurasia-research[.]org18-Feb-2021N/AN/AN/AMedium
newmsoffice[.]com15-Feb-202151.38.162[.]234OVHFRHigh
ms-update[.]org8-Feb-202179.143.87[.]137Hydra CommunicationsIRHigh
wordupdate[.]org21-Dec-20205.39.221[.]48HostkeyNLMedium
ms-officeupdate[.]com18-Dec-2020146.0.77[.]90HostkeyNLHigh
msofficeupdate[.]com10-Nov-2020185.25.51[.]24Informacines sistemos ir technologijosLTHigh
msofficeupdate[.]org20-Aug-202046.30.188[.]236QuadranetNLHigh
msupdatecheck[.]com10-Jul-2020167.114.44[.]150OVHCAMedium
newupdate[.]org4-Jun-202046.183.221[.]141DataClubBZLow
upgrade-office[.]org7-Apr-202066.248.206[.]239HostkeyNLHigh
upgrade-office[.]com18-Mar-2020158.69.30[.]205OVHCAHigh
update-office[.]com3-Mar-2020192.52.166[.]12QuadranetUSMedium
officeupgrade[.]org29-Nov-2019198.24.134[.]13Secured Servers LLCUSHigh
template-new[.]com27-Aug-201966.70.218[.]38OVHCAHigh
ms-check-new-update[.]com8-Jul-201987.121.98[.]51TamatiyaBGHigh
newoffice-template[.]com12-Jun-2019147.135.170[.]193OVHFRHigh

In addition to the consistent use of “office” and “upgrade” themes, DomainTools identified two items that while linked in terms of registration and hosting characteristics included new naming conventions:

global-policy[.]org

eurasia-research[.]org

Although noticeably different from the group’s typical naming themes, these items overlap with Cloud Atlas’ focus on political and international relations themes, explored in greater detail below. Mapped using DomainTools Iris visualization, the connections between these items and their overlap becomes clear even though the activity spans nearly two years. Note that in the case of some older domains, registration details have changed from when these items were actively used in Cloud Atlas-related activity as they have been re-registered, leading to three apparent “outliers” that under previous registration detail would be closely correlated.

DomainTools researchers searched for any documents or malware samples linked to the above domains and related infrastructure.

With these items identified, DomainTools researchers searched for any documents or malware samples linked to the above domains and related infrastructure.

Pivoting from Infrastructure to Samples

From the list of domains identified in the previous section, DomainTools researchers identified multiple new samples associated with Cloud Atlas activity. The following list includes previously-identified samples as well as seven newly-identified malicious documents, along with associated C2 infrastructure:

MD5SHA256File NameFirst SeenC2 InfrastructureSubmitted From
129ca14849f2b9e1171d241997318ab34011b1fff8c088fcb4ac4a05a5a156912162293bbda8147597a41e09725b3ebfЛичные данныеАлмаз.doc23 Feb 2021newmsoffice[.]comBY
601c6f7640ea94ee4335299152be36d6439032cbee22ae75cce7e2340ca7ffe521dce3e18702ccd703cc5849dbf8954bDRAFT Concept Paper EEC 10 March 2021.doc23 Feb 2021newmsoffice[.]comFR
1ca8b287ea91be2f3d9bb5ad6f27cf34668236000a483b1735b7f8e244ae867804ee20fbd18e07860d1764a30e3ba60dFORM-0-COVID-19.doc22 Feb 2021217.182.9[.]185ES
114cee0e385240c784521641ef5476e746c203cf15a4126f10b3933376215063fe385aba3be971d63fc4e7be34aaf171Таможенное регулирование на предприятии.doc18 Feb 2021ms-update[.]orgBY
0d5df6bb2b1eee5cc497d6510ba1bc8a4eb0f1b0c04fc7e845e2ad7c3c84866f3a07586ccbe5ecad6f69d972e8ccac98EUISS Reflection Paper – CSDP.doc18 Feb 2021ms-update[.]orgFR
89c625189174b28564b67b92c3a3e55c94d467e169ed52ff4df5aa7321412a797293f24b00e58985a41ca5968cf4b047Методика профкультуры_госорганы.doc18 Feb 2021ms-update[.]orgUA
64481a824b077854a870dcb8c56bc01021ff553d752df93e10e45d0393eb097d5231346737e786ab8ad41324c299342aN/A09 Feb 2021ms-officeupdate[.]comRU
ded1d4636a2ad6ade4665908f8702e6507655ebfac8b7e5b2f1c2e661f6a7c16f3ac97df137d96f4c01e0f225918a149AL-Qaeda’s external operations.doc01 Feb 202151.89.50[.]155KW
b6ab958a703e5977f1334e8c6ab86377e83f79a6442bc7796d9b6e088d144f1c842f0a4716732c30a4edfa37e227586bЕАЭС интеграционные процессы.doc22 Dec 2020msofficeupdate[.]comUZ
03382feadb1044abc5d469dccc1590c3ceb060e6a169ba18e6b204ce9aafc7880fceee9aafcfe50cc75d24f0b09705efИнформационное письмо!.doc04 Dec 2020msofficeupdate[.]comUA
e744dfa3e039d375eda47c7103dff003d8f13e6945b6a335382d14a00e35bfefadbdfb625562e1120e5ed0b545f63e11ATT00001 – копия.doc09 Nov 2020template-new[.]comN/A
ab7a77f8a44cc70c6955c2bd099707fe348b25023c45ed7b777fa6f6f635cb587b8ffbf100bfa6761d35610bba525a11Минтруд госслужба.doc03 Nov 2020msofficeupdate[.]orgUA
a2f00c5cbd026331053ae1abad0dc85d93279005aa4c8eddf01020b31bc2b401fe1366cbcc9bb2032ffaeb2984afcd79Минтруд госслужба 1 1.doc03 Nov 2020msofficeupdate[.]orgUA
e963cc1caddfd957d9f7ec78de715de2e5a4957d0078d0bb679cf3300e15b09795167fdcfa70bbeab6de1387cd3f75bfStrategic Defence and Security Review (2021 SDSR).doc31 Oct 2020msofficeupdate[.]orgSI
bab23837dfc20743338f8d95b3f1e3b97a1effd3cfeecdba57904417c6eeaa7a74d60a761138885b338e8dc17f2c3fbcСправочник АП_26.10.2020_.doc29 Oct 2020msofficeupdate[.]orgUA
e00af9b6303460666ae1b4bdeb9503ba7c495c21c628d37ba2298e4a789ff677867521be27ec14d2cd9e9bf55160518fPKK militants in Nagorno-Karabakh.doc12 Oct 2020msofficeupdate[.]orgAZ
22542d90a4c82005fe70f4b58a815db30b116f5b93046c3ce3588bb2453ddbb907d990c2053827600375d8fd84d05d8bНовые поправки к Госпрограмме переселения в РФ (вст. в силу 01.07.2020).doc16 Sep 2020upgrade-office[.]comUA
4ecf8aeed764d7b4da0c8d2abb61876079c0097e9def5cc0f013ba64c0fd195dae57b04fe3146908a4eb5e4e6792ba24N/A16 Sep 2020newoffice-template[.]comGB
b2d173f1eaedf22f6309172882ea68da68bde4ec00c62ffa51cef3664c5678f1f4985eb6054f77a5190b4d62bd910538xyz.doc13 Sep 2020msofficeupdate[.]orgTR
965e187680297f9e782bdaaca96495c71f117d5f398e599887ec92a3f8982751ceb83f2adb85d87a2c232906104e8772C. Bayramov.doc25 Jul 2020upgrade-office[.]orgAZ
3883e47d8626b12667eab3656a2eeed44ad0e64e8ebed1d15fac85cd7439bb345824f03d8b3c6866e669c24a42901daaScandal that killed 346 people.doc29 May 2020upgrade-office[.]comAZ
9661464bae94391b23f0b01f563e27e7c630aa8ebd1d989af197a80b4208a9fd981cf40fa89e429010ada56baa8cf09dПланируемые расходы 2020(1).doc28 Dec 2019officeupgrade[.]orgUA
c037ee4d91b62627665fa9df82c641ab7ba76b2311736dbcd4f2817c40dae78f223366f2404571cd16d6676c7a640d70Фадеев М1.doc18 Dec 2019officeupgrade[.]orgUA
2bf501cf34f19b9243528bd35e90df6b89503c73eadc918bb6f05c023d5bf777fb2a0de1e0448f13ab1003e6d3b71fefО поставке зенитных ракетных систем С-400.doc11 Dec 2019officeupgrade[.]orgAZ

In addition to the links to identified infrastructure, all of the documents feature the same template string documented in DomainTools’ previous report:

All of the documents feature the same template string documented in DomainTools’ previous report.

As previously documented by researchers from Kaspersky, the documents attempt to retrieve and execute an external payload for follow-on execution via PowerShell or VBScript. While the majority of identified samples continue to leverage remote template retrieval via HTTPS, several samples also included Server Message Block (SMB) references direct to an IP address (discussed in greater detail below). Based on previous research, initial payloads from the document can either be malicious script objects to move the infection further along, or scripting objects designed to further validate victims and eliminate forensic artifacts.

Complicating analysis, and as noted by other researchers on past activity linked to Cloud Atlas, second-stage links and resources are typically “gated.” Resources are limited to retrieval only from designated locations, likely via IP address allow-listing. As a result, DomainTools has not been able to retrieve any samples of follow-on activity from the above documents directly.

Possible PowerShell Second-Stage Framework

While researching the above items, DomainTools researchers, in conjunction with researcher Florian Roth, identified a PowerShell script which included references to one of the domains linked to Cloud Atlas registration activity:

Name: rr3.ps1

MD5: 95885b0306642d71f295faa22b1831c0

SHA256: ca2a5c131af2ffb14bea01d458e149e8ad4a6e9c51af8ada6a1aec9d89a8cce4

The script attempts to retrieve a resource from the following location:

hXXp://ms-check-new-update[.]com/deeplyset/Framonts/sheintsis/calycophorae/beshackled/parcleanup/cheilitiss26/p

Although superficially similar to HTTP-based communication from malicious documents, there are notable differences:

  • Document template communication uses encrypted traffic via HTTPS, with domains associated with Sectigo SSL/TLS certificates, while the script communicates via unencrypted HTTP.
  • While the PowerShell request parses the full URI with “/”, the HTTPS beacons from documents consist of a single URI parameter with individual “words” separated by numbers.

The differences can be seen by looking at an example of a beacon from a malicious document:

hXXps://ms-update[.]org/tanked7inevitable3tricorn8suppuration9t

Although domain creation and registration artifacts show similarities between the domain used in the PowerShell script and domains used in malicious document files, differences in use make it difficult for DomainTools to link the identified script to the same cluster of activity (suspected Cloud Atlas) with high confidence.

Cloud Atlas-related operations previously used scripting frameworks for a variety of purposes as part of operations, as documented by researchers from Kaspersky and Palo Alto. In previous instances, Cloud Atlas-related scripts performed functions such as the following:

  • Initial victim system reconnaissance and system survey.
  • System data and file collection.
  • Data exfiltration.
  • Anti-analysis and anti-forensics operations. 

The script object retrieved in this case seems more limited, focusing primarily on creating persistence mechanisms and evading analysis while attempting to download an additional payload. Based on prior analysis of Cloud Atlas-related activity, this iterative nature is not unexpected although the precise persistence mechanisms appear new.

For example, the following establishes persistence via a scheduled task:

The following establishes persistence via a scheduled task.

The portion of the script provided below checks for previous retrieval of a follow-on payload and for the presence of a scheduled task (“Display renovation”), while also modifying system parameters via the Windows Registry to “hide” the taskeng.exe window through a hard-coded placement value off-screen.

The portion of the script provided below checks for previous retrieval of a follow-on payload and for the presence of a scheduled task (“Display renovation”), while also modifying system parameters via the Windows Registry to “hide” the taskeng.exe window through a hard-coded placement value off-screen.

Since taskeng.exe will launch a window (even if momentarily), the above will “hide” this aspect of execution. The technique is superficially similar to one previously documented by researchers, and deployed in Cloud Atlas-related activity.

Finally, the script contains a function to eliminate Temporary Internet Files artifacts associated with script execution:

The script contains a function to eliminate Temporary Internet Files artifacts associated with script execution.

Based on descriptions in previous work from Kaspersky and Palo Alto, the above appears more limited in functionality than earlier Cloud Atlas-linked script objects. However, without actual possession of such scripts for comparison, degree of similarity (or difference) is not possible to determine with the information currently available.

Overall, the retrieved script features many overlaps with behaviors documented by other researchers and linked to Cloud Atlas in 2018 (Palo Alto) and 2019 (Kaspersky). While previous analysis indicates Cloud Atlas-related activity will frequently re-use or maintain capabilities for many years, the appearance of this script two years after public documentation, combined with inexact replication of previously-documented capabilities and the network communication items described previously, would argue for some caution in definitively linking this file to the Cloud Atlas cluster of behaviors. While the overlaps certainly exist, and associated network infrastructure ties in to documented, recent Cloud Atlas tendencies, DomainTools associates the above with this behavioral cluster with medium confidence at this time for the reasons noted above.

Adversary Themes and Possible Motivations

Moving away from the scripting object which is likely—although not definitively—linked to Cloud Atlas behaviors, the overall themes as well as probable geographic targeting of the observed malicious documents largely align with previously documented activity from this entity.

Examining items discovered from December 2020 through February 2021, DomainTools identified the following “themes” or lures:

  • A document purportedly from the European Union Institute for Security Studies (EUISS) on common defense questions for the European Union, likely appearing in France.
  • A document from the “Ministry of Labor and Social Policy” of the unrecognized Ukrainian breakaway region known as the Luhansk People’s Republic, submitted from Ukraine.
  • An agenda for a training course on customs regulation from the Belarusian “Trade and Industrial Chamber,” identified in Belarus.
  • A news bulletin concerning Belarusian adoption of an International Atomic Energy Association (IAEA) action plan for the development of nuclear energy, first identified in Russia.
  • A document concerning the creation of a common natural gas market within the Eurasian Economic Union (EAEU), submitted from Uzbekistan.
  • A listing of personnel allegedly belonging to the SPBT Almaz special anti-terrorist unit of the Belarussian security forces, first seen in Belarus.

 

Screenshot 1

The items continue targeting trends and lure themes observed in late 2020:

  • Primary focus on countries formerly part of the Soviet Union with an emphasis on energy and political themes.
  • Particular focus on the unrecognized breakaway regions of Ukraine such as Luhansk as well as Donetsk.
  • Additional targeting of Western European and NATO-related defense interests.

Based on the observed activities, lures, and likely geographic targeting, DomainTools assesses with high confidence that the campaigns in question form part of unspecified espionage operations. While further speculation on particular attribution is possible, insufficient technical evidence exists that would allow DomainTools to attribute this activity to any distinct entity or country.

Outlier Samples

Adding pause to the question of attribution are two similarly-structured but outlier samples both in technical behavior and targeting. Whereas the majority of the malicious documents using the same template string spawn communication via HTTPS for follow-on payload retrieval, two items (one of which has several variants with identical functionality and document content) instead utilize communication to resources via SMB, such as the following:

\185.70.184[.]32soarnegroidmeanalkydapresowntipslushing[.]png
\139.60.161[.]74appalcanedentrecentlyconvergenting[.]png

In addition to the difference in protocol, the naming convention (one long string of text without dividing numbers) and use of a file extension (PNG) are also different from other samples. DomainTools researchers were unsuccessful in attempting to retrieve the PNG objects referenced, making further analysis not possible at this time. While domain links are not possible on these items, referenced IP addresses do at least conform to hosting practices used by recent Cloud Atlas-linked activity: favoring specific providers largely located and operating in Europe.

Technical observations aside, the “themes” of the documents were also different, reflecting the following topics:

  • The Pensacola shooting that was later linked by US authorities to Al Qaeda operations.
  • A travel form linked to COVID-19 precautions for travelers to the United Kingdom.

 

Screenshot 2

While the COVID-19 form at least appears to originate in Europe, the Pensacola shooting document first appears in the Middle East. While researchers previously identified Cloud Atlas-linked activity in Central Asia, publicly available information contains no references to operations in the Gulf region, where this item appears to have originated.

Overall, these documents retain the template string unifying all observed items since 2019, but otherwise appear to differ in behaviors, themes, and possible targeting. At this time, insufficient evidence exists to determine if these items represent a closely-linked, but operationally independent, group to Cloud Atlas with access to similar tools, or merely variations on common delivery vectors ultimately leading to the same payloads.

Conclusion

DomainTools researchers continue to track activity of interest through sustained monitoring of known malicious infrastructure creation tendencies. Through this work, DomainTools researchers identified persistent activity linked to previous analysis of initial access activity associated with an entity referred to as Cloud Atlas. While some parts of this entity’s operations have shifted in the past six months of tracking them, overall this group continues to exhibit common tendencies in both infrastructure registration and malicious document design. 

By identifying these fundamental behaviors linked to a known threat actor, network defenders and threat intelligence analysts can keep pace with adversaries over time. While DomainTools anticipates eventual alterations in this group’s activity due to public scrutiny, the likelihood that all aspects of this group’s operations (network infrastructure, malicious document format, and possibly scripting behaviors) will change simultaneously is rather low. Through incorporation of appropriate monitoring and tracking strategies linked with this threat’s fundamental behaviors, defenders can ensure continuous coverage against this actor moving forward.