A novel threat actor, going by the name AtlasCross, has been observed employing phishing tactics with Red Cross-themed baits to distribute two previously undisclosed backdoors referred to as DangerAds and AtlasAgent.
Key Facts about the Findings
Security analysts from NSFOCUS Security Labs have characterized this adversary as possessing a high technical proficiency and a cautious approach to their attacks.
They noted that the recent phishing campaigns attributed to AtlasCross are part of a targeted offensive against specific entities, serving as their primary method for infiltrating secured domains.
Attack Tactics
The attack sequence commences with a Microsoft document embedded with macros. This document is an informational piece regarding a blood donation initiative associated with the American Red Cross.
When executed, the malicious macro sets up a persistent presence on the compromised system and transfers system metadata to a remote server hosted at data. vectorse[.]com is a subdomain belonging to a legitimate U.S.-based structural and engineering firm.
The document extracts a file known as KB4495667.pkg, codenamed DangerAds. This file acts as a loader, initiating shellcode execution that leads to the deployment of AtlasAgent, a C++ malware.
AtlasAgent can gather system information, perform shellcode operations, execute commands to establish a reverse shell, and inject code into specified processes.
What’s dangerous about the backdoors?
Both AtlasAgent and DangerAds incorporate evasion techniques to reduce their detectability by security tools.
It is suspected that AtlasCross gained access to public network hosts by exploiting known security vulnerabilities and repurposing them as command-and-control (C2) servers.
NSFOCUS has identified 12 distinct compromised servers within the United States.
As of now, the true identity of AtlasCross and its sponsors remains shrouded in mystery.
“At this juncture, AtlasCross maintains a relatively narrow scope of operations, primarily concentrating on targeted assaults against specific hosts within a network domain,” the company disclosed.
“Nonetheless, the techniques employed in their attacks display a high degree of sophistication and maturity.”
Plan Today, Secure Tomorrow
The continuous change in the tactics of attacks raises the importance of continuous monitoring, threat intelligence, and a collective organizational approach.
Using legitimate infrastructure for malicious purposes also enhances the need for network traffic analysis and anomaly detection.
But on the whole, remain agile, adaptive, and committed against threats!
Anas Hasan
October 2, 2023
3 years ago
