Cybersecurity researchers have discovery a new malware campaign that exploits Google Sheets as a command and control (C2) mechanism; the name of this malware is Voldemort, after the eponymous antagonist in the Harry Potter series.
New Google Sheets Exploiting Malware Called Voldemort
The activity, detected from Proofpoint starting August 5, 2024, mimics government tax authorities in Europe, Asia and the United States, aiming to target over 70 organizations worldwide through a bespoke tool called Voldemortdesigned to gather information and deliver additional payloads.
Industries targeted by the Voldemort malware include insurance, aerospace, transportation, academia, finance, technology, industrial, healthcare, automotive, hospitality, energy, government, media, manufacturing, telecommunications, and social welfare organizations.
The suspected cyber espionage campaign has not been attributed to a specific cybercriminal (or group of cybercriminals); Up to 20,000 email messages were sent as part of the attacks.
These emails claim to be from tax authorities in the United States, United Kingdom, France, Germany, Italy, India, and Japan, alerting recipients of changes in their tax returns and encouraging them to click on Google AMP Cache URLs that redirect users to an intermediate page.
Voldemort attacks Windows operating systems predominantly
The page controls the User-Agent string to determine if the operating system is Windows and, if so, uses the URI search-ms protocol: to display a Windows shortcut (LNK) file that uses Adobe Acrobat Reader to disguise itself as a PDF file, in an attempt to trick the victim into opening it.
“If the LNK file is executed, it invokes PowerShell to run Python.exe from a third WebDAV share on the same tunnel (library), passing a Python script on a fourth share (resource) on the same host as an argument“, explained Proofpoint researchers Tommy Madjar, Pim Trouerbach and Selena Larson, adding: “This causes Python to run the script without downloading any files to your computer, with dependencies loaded directly from the WebDAV share..”
The Python script is designed to collect system information and send the data in the form of a Base64 encoded string to a domain controlled by the cybercriminal or cybercriminal group, after which it shows a deceptive PDF to the user and downloads a password-protected ZIP file from OpenDrive.
Voldemort and the .ZIP archives
The ZIP archive, in turn, contains two files: a legitimate executable “CiscoCollabHost.exe”, which is vulnerable to DLL side-loading, and a malicious DLL “CiscoSparkLauncher.dll” (i.e., Voldemort) that is side-loaded.
Voldemort is a custom backdoor written in C with intelligence gathering and next-stage payload loading capabilities, using Google Sheets for C2, data exfiltration and operator command execution.
Proofpoint described the activity as aligned with advanced persistent threats (APTs), but with “cybercrime vibes” due to the use of techniques popular in the e-crime landscape.
“Cybercriminals abuse file URI schemes to access external file sharing resources for staging malware, especially WebDAV and Server Message Block (SMB). This is done by using the ‘file://’ scheme and pointing to a remote server hosting the malicious content“, the researchers said.
Voldemort and “Relationships” with Other Malware Families
This approach has become increasingly widespread among the Malware families acting as initial access brokers (IABs), such as LatrodectusDarkGate and XWorm.
Among other things, Proofpoint said it was able to read the contents of the Google Sheet, identifying a total of six victims, including one believed to be a sandbox or “known researcher.”
The campaign has been called unusual, raising the possibility that cybercriminals cast a wide net before zeroing in on a small group of targets, and it is also possible that the attackers, likely with varying levels of technical expertise, planned to infect several organizations.
“While many of the campaign’s characteristics are aligned with cybercriminal threat activity, we assess this as likely espionage activity conducted to support as yet unknown end goals.,” said the researchers, who then stated: “The Frankensteinian amalgam of intelligent and sophisticated capabilities, coupled with very basic techniques and functionality, makes it difficult to assess the level of cybercriminals’ capabilities and determine with high confidence the ultimate goals of the campaign..”
The development comes as Netskope Threat Labs discovered an updated version of Latrodectus (version 1.4) that includes a new C2 endpoint and adds two new backdoor commands that allow you to download shellcode from a specified server and retrieve arbitrary files from a remote location.
“Latrodectus has evolved quite rapidly, adding new features to its payload.“, has affirmed security researcher Leandro Fróes. “Understanding the updates applied to its payload allows defenders to maintain properly set up automated pipelines, as well as use the information to further research new variants.“
Insight: Can Voldemort Infect Linux Too?
While the described campaign appears to be focused on Windows systems, It cannot be ruled out that Voldemort could also attack Linux systemsespecially considering the cross-platform nature of the Python language.
Since many packages on Linux include Python libraries, There is a real possibility that the malware could be adapted to infect these systems as well.exploiting the same DLL side-loading technique or through other methods specific to the Linux environment and this scenario further increases the potential scope of the cyber threat.
Curiosity: Origin of the name Voldemort
The name “Voldemort” chosen for this malware is not accidental. It immediately recalls the image of the famous antagonist of the Harry Potter book and film series, known for his cunning, power and ability to act in the shadows and just like the fictional characterthe Voldemort malware was designed to operate stealthily, hiding its tracks as it gathers sensitive information and attacks its victims.almost “magical”, so to speak.
The association with such a fearsome name serves to underline the dangerousness and effectiveness of the malware, as well as creating an immediate and easily recognizable image of the threat it represents.
#Voldemort #Malware #Exploits #Google #Sheets