Open Hunting - Threat Library

Openhunting Threat Library

Inception Framework, Cloud Atlas

Inception Framework, Cloud Atlas, Oxygen, ATK 116, Blue Odin, The Rocra

(Type: -)

(Symantec) Researchers from Blue Coat Labs have identified the emergence of a previously undocumented attack framework that is being used to launch highly targeted attacks in order to gain access to, and extract confidential information from, victims’ computers. Because of the many layers used in the design of the malware, we’ve named it Inception—a reference to the 2010 movie “Inception” about a thief who entered peoples’ dreams and stole secrets from their subconscious. Targets include individuals in strategic positions: Executives in important businesses such as oil, finance and engineering, military officers, embassy personnel and government officials. The Inception attacks began by focusing on targets primarily located in Russia or related to Russian interests, but have since spread to targets in other locations around the world. The preferred malware delivery method is via phishing emails containing trojanized documents. • Initially targeted at Russia, but expanding globally • Masterful identity cloaking and diversionary tactics • Clean and elegant code suggesting strong backing and top-tier talent • Includes malware targeting mobile devices: Android, Blackberry and iOS • Using a free cloud hosting service based in Sweden for command and control

[News Analysis] Trends:

Total Trend: 26

Trend Per Year

2013

2014

2015

2017

2018

2019

2020

2021

2022

Trend Per Month

Jan 2013

Dec 2014

Jan 2015

Sep 2017

Oct 2017

Mar 2018

Nov 2018

2019

Aug 2019

May 2020

Jul 2020

Feb 2021

Apr 2022

Jul 2022

[News Analysis] News Mention Another Threat Name:

[TTP Analysis] Technique Performance:

reconnaissance

0/43

resource development

1/45

initial access

1/19

execution

4/36

persistence

1/113

privilege escalation

1/96

defense evasion

4/184

credential access

1/63

discovery

5/44

lateral movement

0/22

collection

1/37

command and control

4/39

exfiltration

0/18

impact

0/26

[TTP Analysis] Mitre Attack Matrix:

TA0043	TA0042	TA0001	TA0002	TA0003	TA0004	TA0005	TA0006	TA0007	TA0008	TA0009	TA0011	TA0010	TA0040
Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
	T1588.002 Obtain Capabilities : Tool	T1566.001 Phishing : Spearphishing Attachment	T1059.001 Command And Scripting Interpreter : Powershell T1059.005 Command And Scripting Interpreter : Visual Basic T1203 Exploitation For Client Execution T1204.002 User Execution : Malicious File	T1547.001 Boot Or Logon Autostart Execution : Registry Run Keys / Startup Folder	T1547.001 Boot Or Logon Autostart Execution : Registry Run Keys / Startup Folder	T1027 Obfuscated Files Or Information T1218.005 System Binary Proxy Execution : Mshta T1218.010 System Binary Proxy Execution : Regsvr32 T1221 Template Injection	T1555.003 Credentials From Password Stores : Credentials From Web Browsers	T1083 File And Directory Discovery T1069.002 Permission Groups Discovery : Domain Groups T1057 Process Discovery T1518 Software Discovery T1082 System Information Discovery		T1005 Data From Local System	T1071.001 Application Layer Protocol : Web Protocols T1573.001 Encrypted Channel : Symmetric Cryptography T1090.003 Proxy : Multi-hop Proxy T1102 Web Service

[Infrastructure Analysis] Based on Related IOC:

IP:Port	Timestamp

Domain	Timestamp

URL	Timestamp

[Target Analysis] Region/Sector:

No information

References:

News Basic Information Indicator of Compromise Mitre Attack

News Article (Credit @Malpedia)

Clean Ursa

2022-07-18 by Unit42 from Palo Alto Networks Unit 42

Clean Ursa

2022-07-18 by Unit 42 from Palo Alto Networks Unit 42

Cyber Threats 2021: A Year in Retrospect

2022-04-28 by PWC UK from PWC

Cyber Threats 2021: A Year in Retrospect (Annex)

2022-04-28 by PWC UK from PWC

Cyber Threats 2020: A Year in Retrospect

2021-02-28 by PWC UK from PWC UK

Red October

2020-07-05 by Cyber Operations Tracker from Council on Foreign Relations

Inception

2020-05-08 by MITRE ATT&CK from MITRE

Recent Cloud Atlas activity

2019-08-12 by GReAT from Kaspersky Labs

Inception Framework

2019 by Cyber Operations Tracker from Council on Foreign Relations

Cloud Atlas

2019 by Cyber Operations Tracker from Council on Foreign Relations

Inception Attackers Target Europe with Year-old Office Vulnerability

2018-11-05 by Tom Lancaster from Palo Alto Networks Unit 42

Inception Framework: Alive and Well, and Hiding Behind Proxies

2018-03-14 by Security Response Attack Investigation Team from Symantec

UPnProxy: Blackhat Proxies via NAT Injections

2017-10-16 by Akamei from Akamai

An (un)documented Word feature abused by attackers

2017-09-18 by Alexander Liskin from Kaspersky Labs

Reversing the Inception APT malware

2015-01-20 by Basavaraj K. Biradar from Blue Coat

Catching the “Inception Framework” Phishing Attack

2015-01-14 by Tony Massé from LogRhythm

Catching the “Inception Framework” Phishing Attack

2015-01-14 by Tony Massé from LogRhythm

Cloud Atlas: RedOctober APT is back in style

2014-12-10 by GReAT from Kaspersky Labs

Cloud Atlas: RedOctober APT is back in style

2014-12-10 by GReAT from Kaspersky Labs

Blue Coat Exposes “The Inception Framework”; Very Sophisticated, Layered Malware Attack Targeted at Military, Diplomats, and Business Execs

2014-12-09 by Snorre Fagerland from Blue Coat

Blue Coat Exposes “The Inception Framework”; Very Sophisticated, Layered Malware Attack Targeted at Military, Diplomats, and Bus

2014-12-09 by Waylon Grange from Symantec

The Inception Framework: Cloud-hosted APT

2014-12-09 by Snorre Fagerland from Blue Coat

“Red October” – Part Two, the Modules

2013-01-17 by GReAT from Kaspersky Labs

The “Red October” Campaign – An Advanced Cyber Espionage Network Targeting Diplomatic and Government Agencies

2013-01-14 by GReAT from Kaspersky Labs

“Red October” Diplomatic Cyber Attacks Investigation

2013-01-14 by GReAT from Kaspersky Labs

"Red October" Diplomatic Cyber Attacks Investigation

2013-01-14 by GReAT from Kaspersky Labs

Basic Information (Credit @etda.or.th)

Actor: Inception Framework, Cloud Atlas

Names: Inception Framework, Cloud Atlas, Oxygen, ATK 116, Blue Odin, The Rocra

Country: Russia

Motivation: Information theft and espionage

First-seen: 2012

Description: (Symantec) Researchers from Blue Coat Labs have identified the emergence of a previously undocumented attack framework that is being used to launch highly targeted attacks in order to gain access to, and extract confidential information from, victims’ computers. Because of the many layers used in the design of the malware, we’ve named it Inception—a reference to the 2010 movie “Inception” about a thief who entered peoples’ dreams and stole secrets from their subconscious. Targets include individuals in strategic positions: Executives in important businesses such as oil, finance and engineering, military officers, embassy personnel and government officials. The Inception attacks began by focusing on targets primarily located in Russia or related to Russian interests, but have since spread to targets in other locations around the world. The preferred malware delivery method is via phishing emails containing trojanized documents. • Initially targeted at Russia, but expanding globally • Masterful identity cloaking and diversionary tactics • Clean and elegant code suggesting strong backing and top-tier talent • Includes malware targeting mobile devices: Android, Blackberry and iOS • Using a free cloud hosting service based in Sweden for command and control

Observed-sectors: Aerospace

Observed-sectors: Defense

Observed-sectors: Embassies

Observed-sectors: Energy

Observed-sectors: Engineering

Observed-sectors: Financial

Observed-sectors: Government

Observed-sectors: Oil and gas

Observed-sectors: Research

Observed-countries: Afghanistan

Observed-countries: Armenia

Observed-countries: Austria

Observed-countries: Azerbaijan

Observed-countries: Belarus

Observed-countries: Belgium

Observed-countries: Brazil

Observed-countries: Congo

Observed-countries: Cyprus

Observed-countries: France

Observed-countries: Georgia

Observed-countries: Germany

Observed-countries: Greece

Observed-countries: India

Observed-countries: Indonesia

Observed-countries: Iran

Observed-countries: Italy

Observed-countries: Jordan

Observed-countries: Kazakhstan

Observed-countries: Kenya

Observed-countries: Kyrgyzstan

Observed-countries: Lebanon

Observed-countries: Lithuania

Observed-countries: Malaysia

Observed-countries: Moldova

Observed-countries: Morocco

Observed-countries: Mozambique

Observed-countries: Oman

Observed-countries: Pakistan

Observed-countries: Paraguay

Observed-countries: Portugal

Observed-countries: Qatar

Observed-countries: Romania

Observed-countries: Russia

Observed-countries: Saudi Arabia

Observed-countries: South Africa

Observed-countries: Suriname

Observed-countries: Switzerland

Observed-countries: Tajikistan

Observed-countries: Tanzania

Observed-countries: Turkey

Observed-countries: Turkmenistan

Observed-countries: Uganda

Observed-countries: Ukraine

Observed-countries: UAE

Observed-countries: USA

Observed-countries: Uzbekistan

Observed-countries: Venezuela

Observed-countries: Vietnam

Tools: Inception

Tools: Lastacloud

Tools: PowerShower

Tools: VBShower

Tools: many 0-day exploits

Operations: 2012-10

Operations: Operation “RedOctober” In October 2012, Kaspersky Lab’s Global Research & Analysis Team initiated a new threat research after a series of attacks against computer networks of various international diplomatic service agencies. A large scale cyber-espionage network was revealed and analyzed during the investigation, which we called “Red October” (after famous novel “The Hunt For The Red October”). https://securelist.com/red-october-diplomatic-cyber-attacks-investigation/36740/#8

Operations: 2014-05

Operations: Hiding Behind Proxies Since 2014, Symantec has found evidence of a steady stream of attacks from the Inception Framework targeted at organizations on several continents. As time has gone by, the group has become ever more secretive, hiding behind an increasingly complex framework of proxies and cloud services. https://www.symantec.com/blogs/threat-intelligence/inception-framework-hiding-behind-proxies

Operations: 2014-08

Operations: Operation “Cloud Atlas” In August 2014, some of our users observed targeted attacks with a variation of CVE-2012-0158 and an unusual set of malware. We did a quick analysis of the malware and it immediately stood out because of certain unusual things that are not very common in the APT world. https://securelist.com/cloud-atlas-redoctober-apt-is-back-in-style/68083/

Operations: 2018-10

Operations: This blog describes attacks against European targets observed in October 2018, using CVE-2017-11882 and a new PowerShell backdoor we’re calling POWERSHOWER due to the attention to detail in terms of cleaning up after itself, along with the malware being written in PowerShell. https://unit42.paloaltonetworks.com/unit42-inception-attackers-target-europe-year-old-office-vulnerability/

Operations: 2019

Operations: During its recent campaigns, Cloud Atlas used a new “polymorphic” infection chain relying no more on PowerShower directly after infection, but executing a polymorphic HTA hosted on a remote server, which is used to drop three different files on the local system. https://securelist.com/recent-cloud-atlas-activity/92016/

Operations: 2022-02

Operations: Cloud Atlas targets entities in Russia and Belarus amid the ongoing war in Ukraine https://research.checkpoint.com/2022/cloud-atlas-targets-entities-in-russia-and-belarus-amid-the-ongoing-war-in-ukraine/

Information: https://www.symantec.com/connect/blogs/blue-coat-exposes-inception-framework-very-sophisticated-layered-malware-attack-targeted-milit

Information: https://www.akamai.com/uk/en/multimedia/documents/white-paper/upnproxy-blackhat-proxies-via-nat-injections-white-paper.pdf

Mitre-attack: https://attack.mitre.org/groups/G0100/

Playbook: https://pan-unit42.github.io/playbook_viewer/?pb=inception

Last-card-change: 2023-01-01

Source: https://apt.etda.or.th/cgi-bin/listtools.cgi

TTP Info (Credit @Mitre)

TA0043	TA0042	TA0001	TA0002	TA0003	TA0004	TA0005	TA0006	TA0007	TA0008	TA0009	TA0011	TA0010	TA0040
Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
	T1588.002 OBTAIN CAPABILITIES : TOOL inception has obtained and used open-source tools such as lazagne.	T1566.001 PHISHING : SPEARPHISHING ATTACHMENT inception has used weaponized documents attached to spearphishing emails for reconnaissance and initial compromise.	T1059.001 COMMAND AND SCRIPTING INTERPRETER : POWERSHELL inception has used powershell to execute malicious commands and payloads. T1059.005 COMMAND AND SCRIPTING INTERPRETER : VISUAL BASIC inception has used vbscript to execute malicious commands and payloads. T1203 EXPLOITATION FOR CLIENT EXECUTION inception has exploited cve-2012-0158, cve-2014-1761, cve-2017-11882 and cve-2018-0802 for execution. T1204.002 USER EXECUTION : MALICIOUS FILE inception lured victims into clicking malicious files for machine reconnaissance and to execute malware.	T1547.001 BOOT OR LOGON AUTOSTART EXECUTION : REGISTRY RUN KEYS / STARTUP FOLDER inception has maintained persistence by modifying registry run key value hkey_current_user\software\microsoft\windows\currentversion\run\.	T1547.001 BOOT OR LOGON AUTOSTART EXECUTION : REGISTRY RUN KEYS / STARTUP FOLDER inception has maintained persistence by modifying registry run key value hkey_current_user\software\microsoft\windows\currentversion\run\.	T1027 OBFUSCATED FILES OR INFORMATION inception has encrypted malware payloads dropped on victim machines with aes and rc4 encryption. T1218.005 SYSTEM BINARY PROXY EXECUTION : MSHTA inception has used malicious hta files to drop and execute malware. T1218.010 SYSTEM BINARY PROXY EXECUTION : REGSVR32 inception has ensured persistence at system boot by setting the value regsvr32 %path%\ctfmonrn.dll /s. T1221 TEMPLATE INJECTION inception has used decoy documents to load malicious remote payloads via http.	T1555.003 CREDENTIALS FROM PASSWORD STORES : CREDENTIALS FROM WEB BROWSERS inception used a browser plugin to steal passwords and sessions from internet explorer, chrome, opera, firefox, torch, and yandex.	T1083 FILE AND DIRECTORY DISCOVERY inception used a file listing plugin to collect information about file and directories both on local and remote drives. T1069.002 PERMISSION GROUPS DISCOVERY : DOMAIN GROUPS inception has used specific malware modules to gather domain membership. T1057 PROCESS DISCOVERY inception has used a reconnaissance module to identify active processes and other associated loaded modules. T1518 SOFTWARE DISCOVERY inception has enumerated installed software on compromised systems. T1082 SYSTEM INFORMATION DISCOVERY inception has used a reconnaissance module to gather information about the operating system and hardware on the infected host.		T1005 DATA FROM LOCAL SYSTEM inception used a file hunting plugin to collect .txt, .pdf, .xls or .doc files from the infected host.	T1071.001 APPLICATION LAYER PROTOCOL : WEB PROTOCOLS inception has used http, https, and webdav in network communications. T1573.001 ENCRYPTED CHANNEL : SYMMETRIC CRYPTOGRAPHY inception has encrypted network communications with aes. T1090.003 PROXY : MULTI-HOP PROXY inception used chains of compromised routers to proxy c2 communications between them and cloud service providers. T1102 WEB SERVICE inception has incorporated at least five different cloud service providers into their c2 infrastructure including cloudme.