Hackers abuse Google Sheets to covertly store and transmit stolen data or execute malicious scripts, taking advantage of its trusted platform status and collaboration features.
Cybersecurity researchers at Proofpoint identified an unusual campaign in August 2024 involving the use of new attack chain steps to deploy custom malware called ‘Voldemort.’
The attack sequence temporally incorporates a mix of common techniques within the threat landscape, which is rare for C2 activities such as Google Sheets.
It’s a backdoor that gathers intelligence and drops in other curses that target those written in C.
Technical Analysis
The actor’s infrastructure served as a host for the cobalt strike most probably as one of the payloads that will be dropped. For the first time, the researchers thought the activities might be from a red team.
However, due to the volume of correspondence and malware analysis, they attributed an APT whose purpose is to gather intelligence, but they cannot name the actor.
Starting from 5 August 2024, the cyber attacks intensified and the number of messages across more than 70 organisations increased to over 20,000.
In order to attack their targets, the campaign redirected users to search-ms URIs through Google AMP Cache URLs, Landing pages of InfinityFree and Cloudflare tunnels which invoked a Windows Search and opened a Windows DEX file (LNK) or a ZIP file with an LNK in the Windows Explorer.
The LNK file that was opened used PowerShell to access a Python script placed on a WebDAV share, which retrieved the following information about the system and downloaded a fake PDF and a password protected zip file that contained ciscocollabhost.exe, cimcagent.exe, and ciscosparklauncher.dll files, the last one launching malware named Voldemort.
While Voldemort is a backdoor that could gather information and load other malware.
The threat actor abused the Saved Search File Format (.search-ms) to hide the remote nature of the malicious files and used Google Sheets infrastructure for the following purposes:-
- Command and control
- Data exfiltration
- Executing commands
While analyzing the threat actor’s use of Google Sheets as a communication protocol, it was discovered that a standard Google API was leveraged, exposing a client ID and client secret, which allowed it to read data from Google Sheets.
The investigation also uncovered information about the active infections, and it’s been identified that the majority are sandboxes or known researchers.
Besides this, studying other sections of the Google Sheets helped to consider the commands the actor performed on several registered bots.
In each case where the actor engaged with a victim’s machine, they created a new page using that machine’s hostname and username.
The actor’s role in the system was minimal. It revolved only around issuing commands to list the contents of two folders.
Investigating Google Drive in the same manner with the same client secrets further revealed additional artifacts to the researchers, including a 7zip archive with password protection holding a DLL and an executable.
The file “Shuaruta.exe” was also prone to the DLL sideloading attack, and it could be used to introduce a cobalt strike beacon to the system.
Are You From SOC/DFIR Teams? - Try Advanced Malware and Phishing Analysis With ANY.RUN - 14 day free trial