The Red Cross or Red Alert? Unmasking the Cyber Threat Actor AtlasCross

A new cyber threat actor, AtlasCross, is impersonating the Red Cross to steal data and run malicious code. Using a Trojan called DangerAds, the group is causing a red alert in the cyber security world.

Hot Take:

Who knew the Red Cross could be so dangerous? A new cyber threat actor has entered the stage, donning the guise of the Red Cross to steal data and run malicious code. Named AtlasCross by the folks at NSFOCUS Security Labs, they’re like the method actors of the cybercrime world, deeply embedded in their roles and playing them with a high level of technical skill. They’re using an old-school infection vector – a Word document with an embedded macro function – and a trojan called DangerAds. But before you go donating blood, remember, this isn’t the real Red Cross, it’s just a bunch of data-stealing, code-running cyber thieves.

Key Points:

  • A new threat actor, AtlasCross, has been detected impersonating the Red Cross to steal data and run malicious code.
  • AtlasCross distributes a Word document with an embedded macro function that triggers the download of a trojan called DangerAds.
  • The final payload of the cyber attack is called AtlasAgent, which obtains host information and executes shellcode.
  • AtlasCross is currently focusing on targeted attacks against specific hosts within a network domain.
  • The identity of AtlasCross and its specific targets remain unknown.

Need to know more?

Red Cross or Red Alert?

AtlasCross has been impersonating the Red Cross to spread their malware. This is not your typical phishing scam. The attackers are distributing a Word document that seems to be about blood donation but is actually a ticking time bomb filled with malicious code.

DangerAds - Not the Kind of Ad You Want

Once you run the macro in the seemingly innocuous Word document, you trigger the download of a trojan named DangerAds. This isn't your run-of-the-mill pop-up ad; this ad is the main player in the AtlasCross attack. It's designed to detect the host environment and run a built-in shellcode to load the final payload.

The Final Payload - AtlasAgent

Once the DangerAds trojan has done its job, it's time for the final payload: AtlasAgent. This mischievous piece of code is designed to obtain host information, execute shellcode, and download and execute the AtlasCross attack.

Targeted Attacks with a Side of Mystery

The AtlasCross attackers are not after everyone. They're focusing their efforts on targeted attacks against specific hosts within a network domain. But who are these specific targets? That remains a tantalizing mystery.

A New Threat Actor on the Scene

AtlasCross might be a new player in the cyber threat actor scene, but they're certainly making waves. With their high technical level and cautious attack attitude, this is one Red Cross imposter you definitely don't want to mess with.
Tags: AtlasCross, DangerAds, Malware, Network Intrusion, Phishing Activity, Red Cross Impersonation, targeted attacks