The threat actor, “Voldemort,” executed a sophisticated campaign targeting various organizations worldwide by employing a novel attack chain that leveraged Google Sheets for command and control and other unusual tactics.
“Voldemort” was a custom backdoor written in C with capabilities for data exfiltration and delivering additional payloads, which as an advanced persistent threat (APT) campaign aimed at intelligence gathering, likely using Cobalt Strike as a potential payload.
The malicious campaign, leveraging the Voldemort malware, targeted over 70 organizations globally, with a significant spike in activity on August 17. Impersonating tax authorities from various countries, the threat actor sent over 20,000 emails, customized to the target’s country of residence.
It focused on specific verticals, particularly insurance companies, aerospace, transportation, and universities, by sending emails from compromised domains, mimicking the real tax authority’s domain.
The phishing attack starts with a Google AMP Cache URL in an email that redirects to a landing page, which checks the User-Agent and delivers different payloads depending on the OS.
For Windows users, clicking a link triggers a Windows Search query that redirects to a malicious LNK file disguised as a PDF, which executes a Python script that gathers system information, sends it to the attacker, downloads a decoy PDF, and side-loads a backdoor named Voldemort disguised as a Cisco file.
APT actors are using a combination of techniques typically found in both cybercrime and espionage campaigns by abusing file schema URIs to access external file sharing resources for malware staging and using TryCloudflare tunnels to remotely access data.
The actors are abusing the saved search file format (.search-ms) to save a search query as a file on the WebDAV share, which allows them to hide elements that would otherwise indicate that the victim is not in a folder on their local machine.
The malware exploits a vulnerability in CiscoCollabHost.exe to execute a malicious DLL, which is then used to establish communication with a Google Sheets-based C2 server by employing a unique API invocation technique and decrypting strings using a custom algorithm.
It searches for a specific marker in its own file to locate its configuration, which contains information necessary for connecting to the C2. After authenticating with Google Sheets, the malware reads and writes data to the specified sheet, allowing attackers to issue commands and receive status updates.
The researchers at ProofPoint discovered that the malware used a Google Sheet to store victim information and execute commands. By analyzing the Google Sheet and associated Google Drive files, they identified several victims, including a sandbox and known researchers.
They also found training materials related to OpenWRT firmware code and a password-protected 7-zip archive containing a DLL and executable.
The executable was vulnerable to DLL side loading and could be used to inject a Cobalt Strike Beacon. The researchers extracted the Cobalt Strike configuration, revealing the domain and URI used for communication.
![Pinterest](https://pinterest.com/pin/create/button/?url=https://cyberpress.org/voldemort-malware-hides-stolen-data-in-google-sheets/&media=https://i2.wp.com/blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjZ4mMOaZ3xgoG1cGiDrMCgsb1i98qEu0Alel6puHCvTLicT6Q_pcmTFiKMwnnxHRjfG38C16uJiQnj0jllLqSpWAicLgL9-pKeOawO_HB7quu23UDlTepnPe8AkA0-6Xl2mIXkeTMUlFGk2JpUTcHGsCUNMwDz5JZU_WWVT5LNUfa0fWKRCFLzrg53g3C0/s16000/Voldemort%20Malware.webp?w=1200&resize=1200,0&ssl=1&description=The threat actor, "Voldemort," executed a sophisticated campaign targeting various organizations worldwide by employing a novel attack chain.){kind=link}