Kaspersky: VBCloud has been seen to be used by Cloud Atlas in its cyberattack campaigns that targeted "several dozen users" in

2024.

Russia accounted for more than 80% of the targets. Cloud Atlas is an unattributed threat activity cluster that has been active since 2014 and is also known as Clean Ursa, Inception, Oxygen, and Red October. The attack chain begins with a phishing email that includes a Microsoft Office document that has been booby-trapped.

When the document is opened, it downloads a malicious template that is formatted as an RTF file from a distant server. The VBShower backdoor is intended to obtain additional VBS payloads from the command-and-control (C2) server, which has the ability to install PowerShower, reboot the system, and collect data about files in different folders, running process names, and scheduler tasks. The malware can gather data about files associated with the Telegram messaging app, disks, and system metadata.

"The infection chain consists of several stages and ultimately aims to steal data from victims' devices," stated Kupreev. "VBCloud gathers system information and steals files, while PowerShower probes the local network and facilitates further infiltration," he explained. The malware was developed by VB Cloud, a Russian company.

It can currently be downloaded for $3.99 from the Google Play store or from the company's website. Visit http://www.suicidepreventionlifeline.org or contact the National Suicide Prevention Lifeline at 1-800-273-8255 for private assistance. For assistance with suicide-related issues, contact the Samaritans at 08457 90 90 90, visit a local branch, or click this link.