A new malware, identified as Voldemort, is targeting Google Sheets. It is also impersonating tax agencies from the U.S., Europe, and Asia to open and exploit multiple attack vectors.
Voldemort malware targeting Google Sheets
A new malware campaign has been identified and observed by Proofpoint. The malware is spreading a previously undocumented backdoor named “Voldemort”. It is not limited to one specific region and involves two stages.
According to Bleeping Computer, Voldemort is essentially a C-based backdoor. It packs multiple commands and file management actions. The malware can also introduce new payloads into the system and even delete files. However, the primary function is data exfiltration.
Proofpoint researchers Tommy Madjar (@ffforward), Pim Trouerbach (@Myrtus0x0) & Selena Larson (@selenalarson) look into a suspected espionage campaign delivering the Voldemort backdoor. https://t.co/pPLBk1YYpg pic.twitter.com/NCfXepvvqn
— Virus Bulletin (@virusbtn) August 30, 2024
It is concerning to note that the Voldemort malware is using Google Sheets as a Command And Control Server (C2). Moreover, this malware uses Google’s API with an embedded client ID, secret, and refresh token to interact with Google Sheets.
These techniques help the Voldemort malware stay under the radar. In other words, Voldemort’s network communication appears legitimate, and hence, security tools fail to flag it as suspicious.
Google Sheets is one of the most widely used cloud services. This means security teams cannot just block the service to stem the spread of the Voldemort malware through Google Sheets.
Malware impersonating tax officials to spread
In order to spread, threat actors have resorted to plain old phishing emails. Attackers are reportedly gathering a target’s organization’s location based on public information and then sending phishing emails.
These emails impersonate tax authorities from the organization’s country. It states there is updated tax information. The email includes links to “relevant” documents. Needless to add, these links are bait.
#threatreport #HighCompleteness
The Malware That Must Not Be Named: Suspected Espionage Campaign Delivers “Voldemort” | 29-08-2024
Source: https://t.co/MDgQBuCLn5
Key details below ↓ pic.twitter.com/DpKb57Ttdf— RST Cloud (@rst_cloud) August 30, 2024
Security researchers have observed the links take victims to a landing page hosted on InfinityFree. If the malware recognizes it is on a Windows computer, it leads victims to a TryCloudflare-tunneled URI (Windows Search Protocol).
Interacting with the file results in the victims getting a ZIP file disguised as a PDF. This is a common technique in phishing attacks because files hosted on remote servers appear as if they are on the local computer. This fools victims into thinking they have downloaded the file and assume Microsoft Defender would have scanned the same.
When the ecrime gang finds something… else
If you like weird infection chains, WebDAV, Python, custom backdoors with novel C2 methods, and use of Dumpulator, PCAPs, and more, the gang @selenalarson @Myrtus0x0 @ffforward got you covered! https://t.co/IFvoNEVUmH pic.twitter.com/x5TMPkde59
— Greg Lesnewich (@greglesnewich) August 29, 2024
While the victim is interacting with the file, the Voldemort malware is installing in the background. To infect the system, it uses a legitimate Cisco WebEx executable (CiscoCollabHost.exe) and a malicious DLL (CiscoSparkLauncher.dll).
So far, Linux PCs and Mac OS users are immune to the malware attack. However, Proofpoint recommends restricting access to external file-sharing services. System and network admins can block connections to TryCloudflare and monitor suspicious PowerShell scripts running on office computers running Windows OS.
2024-08-31 15:05:39