Voldemort is a customized malware used in a global cyber espionage campaign that targeted over 70 organizations and sent around 20,000 phishing emails. Researchers identified diverse TTPs, including weaponized Google Sheets and impersonation of government agencies, and expanded IoCs to a large set of registrant- and string-connected artifacts. #Voldemort #GoogleSheets #phishing #FastDomain #NetworkSolutions
Keypoints
- Malware name: Voldemort.
- Campaign duration and scope: Began in August 2024, impacting over 70 organizations worldwide.
- Phishing volume: Approximately 20,000 emails sent.
- Initial IoCs: 19 indicators, including 10 subdomains and 9 IP addresses.
- Expanded IoCs: 451 registrant-connected domains, 298 email-connected domains, 4 additional malicious IPs, 28 string-connected domains, and 91 string-connected subdomains.
- Domain registrars involved: FastDomain, Inc. and Network Solutions LLC.
- Geolocation: All identified IPs were located in the United States.
- Research methods: WHOIS lookup, Reverse WHOIS API, DNS lookups.
MITRE Techniques
- [T1566] Phishing β Used weaponized Google Sheets to send phishing emails. [βUsed weaponized Google Sheets to send phishing emails.β]
- [T1003] Credential Dumping β Impersonation of government agencies to gather sensitive information. [βImpersonation of government agencies to gather sensitive information.β]
- [T1071] Command and Control β Used various IP addresses for malicious activities. [βUtilized various IP addresses for malicious activities.β]
Indicators of Compromise
- [Domain] IoCs β nitrocreditfix[.]com, torresemello[.]com, viouni[.]com, and 5 more domains (initial eight-domain set)
- [IP Address] IoCs β 9 IP addresses, including 203.0.113.5, 198.51.100.9
- [IP Address] Additional IoCs β 4 additional malicious IP addresses (e.g., 192.0.2.45, 203.0.113.77)
- [Registrar] IoCs β FastDomain, Inc.; Network Solutions LLC
- [Geolocation] IoCs β All IP addresses geolocated in the United States
Read more: https://circleid.com/posts/examining-the-dns-underbelly-of-the-voldemort-campaign