New Voldemort malware abuses Google Sheets to retailer stolen information

A brand new malware marketing campaign is spreading a beforehand undocumented backdoor named “Voldemort” to organizations worldwide, impersonating tax companies from the U.S., Europe, and Asia.

As per a Proofpoint report, the marketing campaign began on August 5, 2024, and has disseminated over 20,000 emails to over 70 focused organizations, reaching 6,000 in a single day on the peak of its exercise.

Over half of all focused organizations are within the insurance coverage, aerospace, transportation, and training sectors. The risk actor behind this marketing campaign is unknown, however Proofpoint believes the almost definitely goal is to conduct cyber espionage.

The assault is much like what Proofpoint described at the beginning of the month however concerned a unique malware set within the remaining stage.

Impersonating tax authorities

A brand new Proofpoint report says the attackers are crafting phishing emails to match a focused group’s location primarily based on public data.

The phishing emails impersonate taxing authorities from the group’s nation, stating that there’s up to date tax data and contains hyperlinks to related paperwork.

Samples of the malicious emails used in the campaign
Samples of the malicious emails used within the marketing campaign
Supply: Proofpoint

Clicking on the hyperlink brings recipients to a touchdown web page hosted on InfinityFree, which makes use of Google AMP Cache URLs to redirect the sufferer to a web page with a “Click to view document” button.

When the button is clicked, the web page will verify the browser’s Consumer Agent, and if it is for Home windows, redirect the goal to a search-ms URI (Home windows Search Protocol) that factors to a TryCloudflare-tunneled URI. Non-Home windows customers are redirected to an empty Google Drive URL that serves no malicious content material.

If the sufferer interacts with the search-ms file, Home windows Explorer is triggered to show a LNK or ZIP file disguised as a PDF. 

Using the search-ms: URI has turn out to be widespread these days with phishing campaigns as regardless that this file is hosted on an exterior WebDAV/SMB share, it’s made to seem as if it resides domestically within the Downloads folder to trick the sufferer into opening it.

Making the file appear as if it's located on the victim's computer
Making the file seem as if it is positioned on the sufferer’s laptop
Supply: Proofpoint

Doing so executes a Python script from one other WebDAV share with out downloading it on the host, which performs system data assortment to profile the sufferer. On the similar time, a decoy PDF is exhibited to obscure the malicious exercise.

Decoy PDF that obscures the activity
Decoy PDF that diverts the sufferer’s consideration
Supply: Proofpoint

The script additionally downloads a reliable Cisco WebEx executable (CiscoCollabHost.exe) and a malicious DLL (CiscoSparkLauncher.dll) to load Voldemort utilizing DLL side-loading.

Abuse of Google Sheets

Voldemort is a C-based backdoor that helps a variety of instructions and file administration actions, together with exfiltration, introducing new payloads into the system, and file deletion.

The record of supported instructions is given beneath:

  • Ping – Exams the connectivity between the malware and the C2 server.
  • Dir – Retrieves a listing itemizing from the contaminated system.
  • Obtain – Downloads information from the contaminated system to the C2 server.
  • Add – Uploads information from the C2 server to the contaminated system.
  • Exec – Executes a specified command or program on the contaminated system.
  • Copy – Copies information or directories throughout the contaminated system.
  • Transfer – Strikes information or directories throughout the contaminated system.
  • Sleep – Places the malware into sleep mode for a specified length, throughout which it is not going to carry out any actions.
  • Exit – Terminates the malware’s operation on the contaminated system.

A notable function of Voldemort is that it makes use of Google Sheets as a command and management server (C2), pinging it to get new instructions to execute on the contaminated system and as a repository for stolen information.

Every contaminated machine writes its information to particular cells throughout the Google Sheet, which might be designated by distinctive identifiers like UUIDs, making certain isolation and clearer administration of the breached techniques.

Request to receive Google token
Request to obtain entry token from Google
Supply: Proofpoint

Voldemort makes use of Google’s API with an embedded shopper ID, secret, and refresh token to work together with Google Sheets, that are saved in its encrypted configuration.

This strategy offers the malware with a dependable and extremely obtainable C2 channel, and in addition reduces the chance of community communication being flagged by safety instruments. As Google Sheets is usually used within the enterprise, it additionally makes blocking the service impractical.

In 2023, the Chinese language APT41 hacking group was beforehand seen utilizing Google Sheets as a command and management server by using the red-teaming GC2 toolkit.

To defend in opposition to this marketing campaign, Proofpoint recommends limiting entry to exterior file-sharing companies to trusted servers, blocking connections to TryCloudflare if not actively wanted, and monitoring for suspicious PowerShell execution.

Recent articles