Friend
Professional
- Messages
- 2,653
- Reaction score
- 845
- Points
- 113
Hackers actively use Google Sheets to carry out their plans.
In August of this year, researchers from Proofpoint discovered an unusual malware campaign dubbed "Voldemort" by the attackers, which is a direct reference to J.K. Rowling's magical universe. This malware is suspected of espionage and has the ability to collect information and download additional components.
The identified malicious campaign is distinguished by unusual methods, including the use of Google Sheets to provide C2 functionality, which is rare in such malicious operations. The attackers impersonated tax authorities in various countries, including the United States, the United Kingdom, France, Germany, Italy, India, and Japan, and sent fake tax change notices to organizations around the world.
Since August 5, 2024, attackers have sent more than 20,000 messages to 70 organizations around the world. At the peak of the attack, on August 17, the number of messages skyrocketed to 6,000 per day. The main goal of the attackers, according to Proofpoint, is to gather intelligence, although the ultimate goals remain unknown.
"Voldemort" is written in C and uses a variety of techniques to hide its activity, including disguising itself as regular files and running it via PowerShell without saving it to the victim's computer. Interestingly, the malware uses legitimate tools such as «CiscoCollabHost.exe" to carry out its functions.
The campaign is distinguished by the use of methods typical of both cyberespionage and cybercrime. The attackers use techniques such as file abuse with the '.search-ms' extension to hide their activity and mislead victims about the source of the threat.
Despite the scale and complexity of the attack, Proofpoint was unable to determine with high certainty which group this activity belongs to. Experts believe that this could be a new or little-known group with both basic and advanced skills.
The Voldemort malware actively uses Google Sheets to communicate between infected systems and the C&C server, making it unique in its kind. At the same time, the use of such tools highlights that even spyware groups can use methods typical of cybercriminals, making them difficult to identify and attribute.
Experts recommend that organizations take steps to strengthen protection, including restricting access to external file storage and blocking suspicious network connections.
Source
In August of this year, researchers from Proofpoint discovered an unusual malware campaign dubbed "Voldemort" by the attackers, which is a direct reference to J.K. Rowling's magical universe. This malware is suspected of espionage and has the ability to collect information and download additional components.
The identified malicious campaign is distinguished by unusual methods, including the use of Google Sheets to provide C2 functionality, which is rare in such malicious operations. The attackers impersonated tax authorities in various countries, including the United States, the United Kingdom, France, Germany, Italy, India, and Japan, and sent fake tax change notices to organizations around the world.
Since August 5, 2024, attackers have sent more than 20,000 messages to 70 organizations around the world. At the peak of the attack, on August 17, the number of messages skyrocketed to 6,000 per day. The main goal of the attackers, according to Proofpoint, is to gather intelligence, although the ultimate goals remain unknown.
"Voldemort" is written in C and uses a variety of techniques to hide its activity, including disguising itself as regular files and running it via PowerShell without saving it to the victim's computer. Interestingly, the malware uses legitimate tools such as «CiscoCollabHost.exe" to carry out its functions.
The campaign is distinguished by the use of methods typical of both cyberespionage and cybercrime. The attackers use techniques such as file abuse with the '.search-ms' extension to hide their activity and mislead victims about the source of the threat.
Despite the scale and complexity of the attack, Proofpoint was unable to determine with high certainty which group this activity belongs to. Experts believe that this could be a new or little-known group with both basic and advanced skills.
The Voldemort malware actively uses Google Sheets to communicate between infected systems and the C&C server, making it unique in its kind. At the same time, the use of such tools highlights that even spyware groups can use methods typical of cybercriminals, making them difficult to identify and attribute.
Experts recommend that organizations take steps to strengthen protection, including restricting access to external file storage and blocking suspicious network connections.
Source
