A brand new malware marketing campaign is spreading a beforehand undocumented backdoor named “Voldemort” to organizations worldwide, impersonating tax businesses from the U.S., Europe, and Asia.
As per a Proofpoint report, the marketing campaign began on August 5, 2024, and has disseminated over 20,000 emails to over 70 focused organizations, reaching 6,000 in a single day on the peak of its exercise.
Over half of all focused organizations are within the insurance coverage, aerospace, transportation, and training sectors. The risk actor behind this marketing campaign is unknown, however Proofpoint believes the probably goal is to conduct cyber espionage.
The assault is just like what Proofpoint described in the beginning of the month however concerned a unique malware set within the closing stage.
Impersonating tax authorities
A brand new Proofpoint report says the attackers are crafting phishing emails to match a focused group’s location based mostly on public data.
The phishing emails impersonate taxing authorities from the group’s nation, stating that there’s up to date tax data and contains hyperlinks to related paperwork.
Supply: Proofpoint
Clicking on the hyperlink brings recipients to a touchdown web page hosted on InfinityFree, which makes use of Google AMP Cache URLs to redirect the sufferer to a web page with a “Click on to view doc” button.
When the button is clicked, the web page will test the browser’s Person Agent, and if it is for Home windows, redirect the goal to a search-ms URI (Home windows Search Protocol) that factors to a TryCloudflare-tunneled URI. Non-Home windows customers are redirected to an empty Google Drive URL that serves no malicious content material.
If the sufferer interacts with the search-ms file, Home windows Explorer is triggered to show a LNK or ZIP file disguised as a PDF.
Using the search-ms: URI has turn into common recently with phishing campaigns as though this file is hosted on an exterior WebDAV/SMB share, it’s made to look as if it resides regionally within the Downloads folder to trick the sufferer into opening it.
Supply: Proofpoint
Doing so executes a Python script from one other WebDAV share with out downloading it on the host, which performs system data assortment to profile the sufferer. On the identical time, a decoy PDF is exhibited to obscure the malicious exercise.
Supply: Proofpoint
The script additionally downloads a legit Cisco WebEx executable (CiscoCollabHost.exe) and a malicious DLL (CiscoSparkLauncher.dll) to load Voldemort utilizing DLL side-loading.
Abuse of Google Sheets
Voldemort is a C-based backdoor that helps a variety of instructions and file administration actions, together with exfiltration, introducing new payloads into the system, and file deletion.
The record of supported instructions is given beneath:
- Ping – Checks the connectivity between the malware and the C2 server.
- Dir – Retrieves a listing itemizing from the contaminated system.
- Obtain – Downloads recordsdata from the contaminated system to the C2 server.
- Add – Uploads recordsdata from the C2 server to the contaminated system.
- Exec – Executes a specified command or program on the contaminated system.
- Copy – Copies recordsdata or directories inside the contaminated system.
- Transfer – Strikes recordsdata or directories inside the contaminated system.
- Sleep – Places the malware into sleep mode for a specified length, throughout which it is not going to carry out any actions.
- Exit – Terminates the malware’s operation on the contaminated system.
A notable function of Voldemort is that it makes use of Google Sheets as a command and management server (C2), pinging it to get new instructions to execute on the contaminated gadget and as a repository for stolen information.
Every contaminated machine writes its information to particular cells inside the Google Sheet, which will be designated by distinctive identifiers like UUIDs, guaranteeing isolation and clearer administration of the breached programs.
Supply: Proofpoint
Voldemort makes use of Google’s API with an embedded consumer ID, secret, and refresh token to work together with Google Sheets, that are saved in its encrypted configuration.
This strategy supplies the malware with a dependable and extremely out there C2 channel, and likewise reduces the probability of community communication being flagged by safety instruments. As Google Sheets is usually used within the enterprise, it additionally makes blocking the service impractical.
In 2023, the Chinese language APT41 hacking group was beforehand seen utilizing Google Sheets as a command and management server by the usage of the red-teaming GC2 toolkit.
To defend in opposition to this marketing campaign, Proofpoint recommends limiting entry to exterior file-sharing companies to trusted servers, blocking connections to TryCloudflare if not actively wanted, and monitoring for suspicious PowerShell execution.