AtlasCross Attacks Red Cross-Themed Phishing

Red Cross-Themed Phishing Attacks Distributing DangerAds and AtlasAgent Backdoors

The security researchers have detected a new and advanced threat actor trying to exploit Red Cross-themed phishing. The threat in question is being called AtlasCross. It has been found that AtlasCross tried to use two undisclosed backdoors named Atlas Agent and DangerAds.

According to NSFOCUS Security Labs, this detection is a very high-tech attack. They also point out that this attack is directed to gain access to domains belonging to specific targets. It uses the backdoor already available in the compromised system to exploit the particular servers on the network.

How AtlasCross Attacks Exploits BackDoors

AtlasCross attack starts with an innocent-looking Microsoft document. This Microsoft document is regarding a blood donation drive that belongs to the American Red Cross. Once this document is opened, it executes a micro-malware attachment. This malware will collect and pass system metadata to the remote server (data.vectorse[.]com). This is a U.S subdomain that belongs to a very legit site of an engineering company.


Furthermore, AtlasCross even extracts KB4495667.pkg (codenamed DangerAds) file. This file contains shellcode and later launches shellcode to execute AllasAgent. This threat is a C++ malware that can steal sensitive information from a compromised system.

About DangerAds and AtlasAgent Backdoors

It is important to know that both backdoors, DangerAds and AtlasAgent are quite good at hiding themselves, which makes it harder for the system security tools to detect the backdoor. Using these backdoors is quite genius if you think of it. They just need to exploit the backdoor and the attackers can easily gain remote access to the compromised system without being detected.

AtlasCross exploits the vulnariblities to compromise the primary network host. It’s using the vulnerabilities in the command-and-control (c2) server. NSFOCUS notified that 12 different compromised servers have been found involved in suspicious activities.

AtlasCross And What We Know About It

Well, the exact identification of AtlasCross or its operators is still unknown. Hackers have done a good job hiding their tracks so far. However, knowing that any such malicious activities are going on will give the security researchers a chance to come up with a patch or some fix for the backdoor.

Since there is no concrete information about the actual threat. Therefore, it would be sensible to fix the vulnerabilities that are being used by the threat actors. Without the backdoor, the threat won’t be able to establish a remote access connection or attack the server.

AtlasCross has been found to be involved in several malicious activities focused on exploiting specific hosts. It targets certain hosts on the network domain. It has been also reported that the attack mechanisms used by AtlasCross threat actors are quite mature and robust.

About the author


Leave a Comment