Furthermore, the group was uncovered by cybersecurity firm NSFocus, which detected two previously undocumented trojans known as DangerAds and AtlasAgent used in their attacks. NSFocus noted that the AtlasCross hackers are highly skilled and elusive, making it challenging to pinpoint their origin or motives. Their attack methods differ significantly from known APT groups in terms of execution, technology stack, and behavior tendencies.
Additionally, the AtlasCross attacks typically begin with phishing emails masquerading as the American Red Cross and inviting recipients to participate in a “September 2023 Blood Drive.” These emails contain macro-enabled Word documents that prompt users to click “Enable Content” to access hidden material.
However, clicking on this content triggers malicious macros that infect Windows devices with the DangerAds and AtlasAgent malware. DangerAds serves as a loader and assesses the host environment, executing built-in shellcode under specific conditions. It eventually loads AtlasAgent, the final payload.
AtlasAgent, a custom C++ trojan, carries out various functions, including extracting host and process details, blocking the launch of multiple programs, running additional shellcode on compromised machines, and downloading files from the attacker’s command-and-control servers.
Upon execution, the malware sends system information to the attacker’s servers, including computer names, network details, IP addresses, and running processes. These servers respond with commands for AtlasAgent to execute, making it challenging for security tools to detect and stop the attacks.
AtlasCross remains a relatively unknown threat with unclear motives and targets. Their selective targeting, custom trojans, and discreet infection methods have enabled them to operate under the radar for an unspecified duration.