A new threat actor known as AtlasCross has been observed leveraging Red Cross-themed phishing lures to deliver two previously undocumented backdoors named DangerAds and AtlasAgent.
NSFOCUS Security Labs described the adversary as having a “high technical level and cautious attack attitude,” adding that “the phishing attack activity captured this time is part of the attacker’s targeted strike on specific targets and is its main means to achieve in-domain penetration.”
The attack chains start with a macro-laced Microsoft document that purports to be about a blood donation drive from the American Red Cross that, when launched, runs the malicious macro to set up persistence, exfiltrate system metadata to a remote server (data.vectorse[.]com) that’s a sub-domain of a legitimate website belonging to a structural and engineering firm based in the U.S.
Fight AI with AI — Battling Cyber Threats with Next-Gen AI Tools
Ready to tackle new AI-driven cybersecurity challenges? Join our insightful webinar with Zscaler to address the growing threat of generative AI in cybersecurity.
Supercharge Your Skills
It also extracts a file named KB4495667.pkg (codenamed DangerAds), which, subsequently acts as a loader to launch shellcode that leads to the deployment of AtlasAgent, a C++ malware capable of gathering system information, shellcode operation, and running commands to obtain a reverse shell as well as inject code into a thread in the specified process.
Both AtlasAgent and DangerAds incorporate evasive features to make it less likely to be discovered by security tools.
AtlasCross is suspected to have breached public network hosts by exploiting known security vulnerabilities and turning them into command-and-control (C2) servers. NSFOCUS said it identified 12 different compromised servers in the U.S.
The true identity of AtlasCross and its backers currently remains a puzzle.
“At this current stage, AtlasCross has a relatively limited scope of activity, primarily focusing on targeted attacks against specific hosts within a network domain,” the company said. “However, the attack processes they employ are highly robust and mature.”
