National Cyber Warfare Foundation (NCWF)

Voldemort Threat Actors Abusing Google Sheets to Attack Windows Users


0 user ratings
2024-08-30 11:39:10
milo
Red Team (CNA)

 - archive -- 

Researchers from Proofpoint have uncovered a sophisticated cyberattack campaign leveraging Google Sheets as a command and control (C2) platform. Dubbed “Voldemort” by the researchers, this campaign targets Windows users globally, employing a novel attack chain that combines both common and rare techniques to deliver custom malware. This article delves into the intricacies of the campaign, […]


The post Voldemort Threat Actors Abusing Google Sheets to Attack Windows Users  appeared first on GBHackers on Security | #1 Globally Trusted Cyber Security News Platform.



Researchers from Proofpoint have uncovered a sophisticated cyberattack campaign leveraging Google Sheets as a command and control (C2) platform.





Dubbed “Voldemort” by the researchers, this campaign targets Windows users globally, employing a novel attack chain that combines both common and rare techniques to deliver custom malware.





This article delves into the intricacies of the campaign, its implications, and the broader cybersecurity challenges it presents.





Unveiling the Voldemort Campaign





Proofpoint researchers identified an attack campaign that stands out due to its unique use of Google Sheets for C2 operations.





The malware, internally named “Voldemort,” is a custom backdoor written in C, capable of gathering information and deploying additional payloads.





The attack chain involves a series of sophisticated techniques, including the abuse of Google Sheets, which is relatively uncommon in the threat landscape.





What Does MITRE ATT&CK Expose About Your Enterprise Security? - Watch Free Webinar!





The campaign began on August 5, 2024, and involved over 20,000 malicious messages targeting more than 70 organizations worldwide.





The threat actors impersonated tax authorities from various countries, including the U.S., UK, France, Germany, Italy, India, and Japan.





These emails, written in the language of the impersonated authority, were sent from compromised domains, adding a layer of authenticity to the phishing attempts.





Emails impersonating HRMC and DGFIP
Emails impersonating HRMC and DGFIP




Attack Chain Mechanics





The emails contained links that redirected victims to a landing page hosted on InfinityFree. Upon clicking a “View Document” button, the page checked the user’s browser for a Windows environment.





If detected, the victim was redirected to a TryCloudflare-tunneled URI, prompting the opening of Windows Explorer.





This stealthy redirection technique allowed the malware to masquerade as a local PDF file, increasing the likelihood of user interaction.





InfinityFree hosted a landing page
InfinityFree hosted a landing page




Technical Analysis of the Malware





The Voldemort campaign exploits the Windows search protocol (search-ms) to display remote files as if they were local.





This technique, used to deploy remote access trojans (RATs), is becoming increasingly popular among cybercriminals. The campaign also utilizes saved search file formats (.search-ms) to further obscure the malicious activity.





HTML Redirect Logic embedded on a landing page
HTML Redirect Logic embedded on a landing page




Execution and Payload Delivery





If the victim executes the malicious LNK file, it triggers a PowerShell command to run Python.exe from a WebDAV share, executing a Python script without downloading files to the host.





This script collects system information and sends it to the threat actor’s infrastructure. The malware then downloads a decoy PDF and a password-protected ZIP file, extracting and executing a legitimate executable vulnerable to DLL hijacking.





Shortcut masquerading as a PDF
Shortcut masquerading as a PDF




The Role of Google Sheets in C2 Operations





Leveraging Google Infrastructure





Rather than using dedicated or compromised infrastructure, the Voldemort malware utilizes Google Sheets for C2, data exfiltration, and command execution.





By authenticating with Google Sheets using a client token, the malware can read and write data, effectively using the platform as a communication channel with the threat actors.





The malware supports a range of commands, including file operations and system commands, all executed via Google Sheets.





The actors can issue commands to the bot, which reports back with status messages, including the malware’s name, “Voldemort.”





Decrypted status messages
Decrypted status messages




Implications and Challenges





APT Activity with Cybercrime Characteristics





Proofpoint assesses with moderate confidence that the Voldemort campaign is likely orchestrated by an advanced persistent threat (APT) actor focused on intelligence gathering.





Despite its espionage-like capabilities, the campaign’s volume and targeting align more closely with cybercriminal activities, presenting a unique blend of threats.





PCAP of pingb.in traffic
PCAP of pingb.in traffic




The abuse of cloud services like Google Sheets for malicious purposes highlights a growing trend in the cyber threat landscape.





Such tactics allow threat actors to leverage legitimate infrastructure, making detection and mitigation more challenging for cybersecurity professionals.





Manual browsing of WebDAV share
Manual browsing of WebDAV share




The Voldemort campaign represents a significant evolution in cyberattack strategies, combining sophisticated techniques with innovative cloud-based services for malicious purposes.





As threat actors continue to adapt and exploit new technologies, cybersecurity professionals must remain vigilant and proactive in developing defenses against such complex threats.





Using Google Sheets as a C2 platform underscores the need for enhanced security measures and awareness of the potential misuse of legitimate cyberattack services.





Are You From SOC/DFIR Teams? - Try Advanced Malware and Phishing Analysis With ANY.RUN - 14 day free trial


The post Voldemort Threat Actors Abusing Google Sheets to Attack Windows Users  appeared first on GBHackers on Security | #1 Globally Trusted Cyber Security News Platform.



Source: gbHackers
Source Link: https://gbhackers.com/voldemort-abusing-google-sheets/


Comments
new comment
Nobody has commented yet. Will you be the first?
 
Forum
Red Team (CNA)



Copyright 2012 through 2024 - National Cyber Warfare Foundation - All rights reserved worldwide.