Friend
Professional
- Messages
- 2,653
- Reaction score
- 852
- Points
- 113
In a new report, Proofpoint researchers uncover a malicious campaign to distribute a previously undocumented Voldemort backdoor to organizations around the world, acting under the guise of US, European, and Asian tax authorities.
The campaign has been active since at least August 5, 2024 and has more than 20,000 emails in more than 70 targeted organizations, and at the peak of activity, the number of such letters reached 6,000 per day.
More than half of all target organizations are in the insurance, aerospace, transportation, and education sectors. According to Proofpoint, the most likely target is cyberespionage.
The emails claim that there is updated tax information and links to relevant documents.
Clicking on it takes recipients to a landing page hosted on InfinityFree, which uses Google AMP cache URLs to redirect the victim to a page with a "click to view document" button.
When the button is clicked, the page will check the browser's User Agent and, if it is for Windows, redirect the target to the search-ms URI (Windows Search Protocol), which points to the tunneled TryCloudflare URI.
Non-Windows users are redirected to an empty Google Drive URL that contains no malicious content.
In the case of interaction with the search-ms file, Windows Explorer displays an LNK or ZIP file disguised as a PDF.
This technique has recently become popular in phishing, as the file is hosted on an external WebDAV/SMB resource, but gives the impression that it is located locally in the "Downloads" folder in order to trick the victim into opening it.
This executes a Python script from another WebDAV share without downloading it to the host, which collects system information to profile the victim. A fake PDF file is displayed at the same time.
The script also loads a legitimate Cisco WebEx executable (CiscoCollabHost.exe) and a malicious DLL (CiscoSparkLauncher.dll) to deliver Voldemort via a sideloading DLL.
Voldemort itself is a C language backdoor that supports a wide range of file management commands and actions, including exfiltration, injecting new payloads into the system, and deleting files.
A notable feature of Voldemort is that it uses Google Sheets as C2, sending it requests to receive new commands to execute on the infected device, as well as a repository for stolen data.
Each infected machine writes its data to specific cells in Google Sheet, which can be labeled with unique identifiers such as UUIDs, allowing for isolation and clearer control of compromised systems.
Voldemort uses Google's API with a built-in client ID, secret, and update token to interact with Google Sheets, which are stored in its encrypted configuration.
This approach provides the malware with a reliable and highly available C2 channel, and also reduces the likelihood that network communication will be flagged by security tools.
Source
The campaign has been active since at least August 5, 2024 and has more than 20,000 emails in more than 70 targeted organizations, and at the peak of activity, the number of such letters reached 6,000 per day.
More than half of all target organizations are in the insurance, aerospace, transportation, and education sectors. According to Proofpoint, the most likely target is cyberespionage.
The emails claim that there is updated tax information and links to relevant documents.
Clicking on it takes recipients to a landing page hosted on InfinityFree, which uses Google AMP cache URLs to redirect the victim to a page with a "click to view document" button.
When the button is clicked, the page will check the browser's User Agent and, if it is for Windows, redirect the target to the search-ms URI (Windows Search Protocol), which points to the tunneled TryCloudflare URI.
Non-Windows users are redirected to an empty Google Drive URL that contains no malicious content.
In the case of interaction with the search-ms file, Windows Explorer displays an LNK or ZIP file disguised as a PDF.
This technique has recently become popular in phishing, as the file is hosted on an external WebDAV/SMB resource, but gives the impression that it is located locally in the "Downloads" folder in order to trick the victim into opening it.
This executes a Python script from another WebDAV share without downloading it to the host, which collects system information to profile the victim. A fake PDF file is displayed at the same time.
The script also loads a legitimate Cisco WebEx executable (CiscoCollabHost.exe) and a malicious DLL (CiscoSparkLauncher.dll) to deliver Voldemort via a sideloading DLL.
Voldemort itself is a C language backdoor that supports a wide range of file management commands and actions, including exfiltration, injecting new payloads into the system, and deleting files.
A notable feature of Voldemort is that it uses Google Sheets as C2, sending it requests to receive new commands to execute on the infected device, as well as a repository for stolen data.
Each infected machine writes its data to specific cells in Google Sheet, which can be labeled with unique identifiers such as UUIDs, allowing for isolation and clearer control of compromised systems.
Voldemort uses Google's API with a built-in client ID, secret, and update token to interact with Google Sheets, which are stored in its encrypted configuration.
This approach provides the malware with a reliable and highly available C2 channel, and also reduces the likelihood that network communication will be flagged by security tools.
Source
