Voldemort Threat Actors Abusing Google Sheets to Attack Windows Users 


Researchers from Proofpoint have uncovered a sophisticated cyberattack campaign leveraging Google Sheets as a command and control (C2) platform.

Dubbed “Voldemort” by the researchers, this campaign targets Windows users globally, employing a novel attack chain that combines both common and rare techniques to deliver custom malware.

This article delves into the intricacies of the campaign, its implications, and the broader cybersecurity challenges it presents.

Unveiling the Voldemort Campaign

Proofpoint researchers identified an attack campaign that stands out due to its unique use of Google Sheets for C2 operations.

The malware, internally named “Voldemort,” is a custom backdoor written in C, capable of gathering information and deploying additional payloads.

The attack chain involves a series of sophisticated techniques, including the abuse of Google Sheets, which is relatively uncommon in the threat landscape.

What Does MITRE ATT&CK Expose About Your Enterprise Security? - Watch Free Webinar!

The campaign began on August 5, 2024, and involved over 20,000 malicious messages targeting more than 70 organizations worldwide.

The threat actors impersonated tax authorities from various countries, including the U.S., UK, France, Germany, Italy, India, and Japan.

These emails, written in the language of the impersonated authority, were sent from compromised domains, adding a layer of authenticity to the phishing attempts.

Emails impersonating HRMC and DGFIP

Attack Chain Mechanics

The emails contained links that redirected victims to a landing page hosted on InfinityFree. Upon clicking a “View Document” button, the page checked the user’s browser for a Windows environment.

If detected, the victim was redirected to a TryCloudflare-tunneled URI, prompting the opening of Windows Explorer.

This stealthy redirection technique allowed the malware to masquerade as a local PDF file, increasing the likelihood of user interaction.

InfinityFree hosted a landing page
InfinityFree hosted a landing page

Technical Analysis of the Malware

The Voldemort campaign exploits the Windows search protocol (search-ms) to display remote files as if they were local.

This technique, used to deploy remote access trojans (RATs), is becoming increasingly popular among cybercriminals. The campaign also utilizes saved search file formats (.search-ms) to further obscure the malicious activity.

HTML Redirect Logic embedded on a landing page
HTML Redirect Logic embedded on a landing page

Execution and Payload Delivery

If the victim executes the malicious LNK file, it triggers a PowerShell command to run Python.exe from a WebDAV share, executing a Python script without downloading files to the host.

This script collects system information and sends it to the threat actor’s infrastructure. The malware then downloads a decoy PDF and a password-protected ZIP file, extracting and executing a legitimate executable vulnerable to DLL hijacking.

Shortcut masquerading as a PDF
Shortcut masquerading as a PDF

The Role of Google Sheets in C2 Operations

Leveraging Google Infrastructure

Rather than using dedicated or compromised infrastructure, the Voldemort malware utilizes Google Sheets for C2, data exfiltration, and command execution.

By authenticating with Google Sheets using a client token, the malware can read and write data, effectively using the platform as a communication channel with the threat actors.

The malware supports a range of commands, including file operations and system commands, all executed via Google Sheets.

The actors can issue commands to the bot, which reports back with status messages, including the malware’s name, “Voldemort.”

Decrypted status messages
Decrypted status messages

Implications and Challenges

APT Activity with Cybercrime Characteristics

Proofpoint assesses with moderate confidence that the Voldemort campaign is likely orchestrated by an advanced persistent threat (APT) actor focused on intelligence gathering.

Despite its espionage-like capabilities, the campaign’s volume and targeting align more closely with cybercriminal activities, presenting a unique blend of threats.

PCAP of pingb.in traffic
PCAP of pingb.in traffic

The abuse of cloud services like Google Sheets for malicious purposes highlights a growing trend in the cyber threat landscape.

Such tactics allow threat actors to leverage legitimate infrastructure, making detection and mitigation more challenging for cybersecurity professionals.

Manual browsing of WebDAV share
Manual browsing of WebDAV share

The Voldemort campaign represents a significant evolution in cyberattack strategies, combining sophisticated techniques with innovative cloud-based services for malicious purposes.

As threat actors continue to adapt and exploit new technologies, cybersecurity professionals must remain vigilant and proactive in developing defenses against such complex threats.

Using Google Sheets as a C2 platform underscores the need for enhanced security measures and awareness of the potential misuse of legitimate cyberattack services.

Are You From SOC/DFIR Teams? - Try Advanced Malware and Phishing Analysis With ANY.RUN - 14 day free trial



Source link