Tuesday, November 12, 2024
HomeCyber Security NewsVoldemort Threat Actors Abusing Google Sheets to Attack Windows Users 

Voldemort Threat Actors Abusing Google Sheets to Attack Windows Users 

Published on

Malware protection

Researchers from Proofpoint have uncovered a sophisticated cyberattack campaign leveraging Google Sheets as a command and control (C2) platform.

Dubbed “Voldemort” by the researchers, this campaign targets Windows users globally, employing a novel attack chain that combines both common and rare techniques to deliver custom malware.

This article delves into the intricacies of the campaign, its implications, and the broader cybersecurity challenges it presents.

- Advertisement - SIEM as a Service

Unveiling the Voldemort Campaign

Proofpoint researchers identified an attack campaign that stands out due to its unique use of Google Sheets for C2 operations.

The malware, internally named “Voldemort,” is a custom backdoor written in C, capable of gathering information and deploying additional payloads.

The attack chain involves a series of sophisticated techniques, including the abuse of Google Sheets, which is relatively uncommon in the threat landscape.

What Does MITRE ATT&CK Expose About Your Enterprise Security? - Watch Free Webinar!

The campaign began on August 5, 2024, and involved over 20,000 malicious messages targeting more than 70 organizations worldwide.

The threat actors impersonated tax authorities from various countries, including the U.S., UK, France, Germany, Italy, India, and Japan.

These emails, written in the language of the impersonated authority, were sent from compromised domains, adding a layer of authenticity to the phishing attempts.

Emails impersonating HRMC and DGFIP
Emails impersonating HRMC and DGFIP

Attack Chain Mechanics

The emails contained links that redirected victims to a landing page hosted on InfinityFree. Upon clicking a “View Document” button, the page checked the user’s browser for a Windows environment.

If detected, the victim was redirected to a TryCloudflare-tunneled URI, prompting the opening of Windows Explorer.

This stealthy redirection technique allowed the malware to masquerade as a local PDF file, increasing the likelihood of user interaction.

InfinityFree hosted a landing page
InfinityFree hosted a landing page

Technical Analysis of the Malware

The Voldemort campaign exploits the Windows search protocol (search-ms) to display remote files as if they were local.

This technique, used to deploy remote access trojans (RATs), is becoming increasingly popular among cybercriminals. The campaign also utilizes saved search file formats (.search-ms) to further obscure the malicious activity.

HTML Redirect Logic embedded on a landing page
HTML Redirect Logic embedded on a landing page

Execution and Payload Delivery

If the victim executes the malicious LNK file, it triggers a PowerShell command to run Python.exe from a WebDAV share, executing a Python script without downloading files to the host.

This script collects system information and sends it to the threat actor’s infrastructure. The malware then downloads a decoy PDF and a password-protected ZIP file, extracting and executing a legitimate executable vulnerable to DLL hijacking.

Shortcut masquerading as a PDF
Shortcut masquerading as a PDF

The Role of Google Sheets in C2 Operations

Leveraging Google Infrastructure

Rather than using dedicated or compromised infrastructure, the Voldemort malware utilizes Google Sheets for C2, data exfiltration, and command execution.

By authenticating with Google Sheets using a client token, the malware can read and write data, effectively using the platform as a communication channel with the threat actors.

The malware supports a range of commands, including file operations and system commands, all executed via Google Sheets.

The actors can issue commands to the bot, which reports back with status messages, including the malware’s name, “Voldemort.”

Decrypted status messages
Decrypted status messages

Implications and Challenges

APT Activity with Cybercrime Characteristics

Proofpoint assesses with moderate confidence that the Voldemort campaign is likely orchestrated by an advanced persistent threat (APT) actor focused on intelligence gathering.

Despite its espionage-like capabilities, the campaign’s volume and targeting align more closely with cybercriminal activities, presenting a unique blend of threats.

PCAP of pingb.in traffic
PCAP of pingb.in traffic

The abuse of cloud services like Google Sheets for malicious purposes highlights a growing trend in the cyber threat landscape.

Such tactics allow threat actors to leverage legitimate infrastructure, making detection and mitigation more challenging for cybersecurity professionals.

Manual browsing of WebDAV share
Manual browsing of WebDAV share

The Voldemort campaign represents a significant evolution in cyberattack strategies, combining sophisticated techniques with innovative cloud-based services for malicious purposes.

As threat actors continue to adapt and exploit new technologies, cybersecurity professionals must remain vigilant and proactive in developing defenses against such complex threats.

Using Google Sheets as a C2 platform underscores the need for enhanced security measures and awareness of the potential misuse of legitimate cyberattack services.

Are You From SOC/DFIR Teams? - Try Advanced Malware and Phishing Analysis With ANY.RUN - 14 day free trial

Divya
Divya
Divya is a Senior Journalist at GBhackers covering Cyber Attacks, Threats, Breaches, Vulnerabilities and other happenings in the cyber world.

Latest articles

Dell Enterprise SONiC Flaw Let Attackers Hijack the System

Dell Technologies has disclosed multiple critical security vulnerabilities in its Enterprise SONiC OS, which...

Amazon Confirms Employee Data Breach Via Third-party Vendor

Amazon has confirmed that sensitive employee data was exposed due to a breach at...

10 Best DNS Management Tools – 2025

Best DNS Management Tools play a crucial role in efficiently managing domain names and...

Sweet Security Announces Availability of its Cloud Native Detection & Response Platform on the AWS Marketplace

Customers can now easily integrate Sweet’s runtime detection and response platform into their AWS...

Free Webinar

Protect Websites & APIs from Malware Attack

Malware targeting customer-facing websites and API applications poses significant risks, including compliance violations, defacements, and even blacklisting.

Join us for an insightful webinar featuring Vivek Gopalan, VP of Products at Indusface, as he shares effective strategies for safeguarding websites and APIs against malware.

Discussion points

Scan DOM, internal links, and JavaScript libraries for hidden malware.
Detect website defacements in real time.
Protect your brand by monitoring for potential blacklisting.
Prevent malware from infiltrating your server and cloud infrastructure.

More like this

Dell Enterprise SONiC Flaw Let Attackers Hijack the System

Dell Technologies has disclosed multiple critical security vulnerabilities in its Enterprise SONiC OS, which...

Amazon Confirms Employee Data Breach Via Third-party Vendor

Amazon has confirmed that sensitive employee data was exposed due to a breach at...

Researchers Detailed Credential Abuse Cycle

Cybercriminals exploit leaked credentials, obtained through various means, to compromise systems and data, enabling...