Threat Research

“Unmasking ‘Voldemort’: The Espionage Malware You Need to Know About”

Proofpoint

Proofpoint researchers uncovered a sophisticated espionage campaign named Voldemort that impersonates tax authorities to target organizations globally. The malware uses an unusual attack chain with Google Sheets-based C2 and saved-search file techniques, functioning as a custom backdoor for intelligence gathering and payload delivery. #Voldemort #Proofpoint #GoogleSheets #CobaltStrike #TryCloudflare #CiscoCollabHost

Keypoints

  • Campaign named “Voldemort” identified by Proofpoint researchers.
  • Targets organizations worldwide by impersonating tax authorities from various countries.
  • Utilizes a novel attack chain with unusual command and control methods, including Google Sheets.
  • Malware is a custom backdoor capable of intelligence gathering and delivering additional payloads.
  • Over 20,000 messages sent, impacting over 70 organizations globally.
  • Threat actor likely an advanced persistent threat (APT) focused on espionage.
  • Employs techniques commonly seen in both cybercriminal and espionage activities.
  • Defense recommendations include restricting access to external file sharing services and monitoring suspicious activity.

MITRE Techniques

  • [T1071] Command and Control – Using Google Sheets for command and control communication. ‘Using Google Sheets for command and control communication.’
  • [T1041] Exfiltration Over Command and Control Channel – Exfiltrating data through Google Sheets. ‘Exfiltrating data through Google Sheets.’
  • [T1003] Credential Dumping – Collecting information about the system and users. ‘Collecting information about the system and users.’
  • [T1203] Execution through API – Executing commands via Google Sheets API. ‘Executing commands via Google Sheets API.’
  • [T1548] Abuse Elevation Control Mechanism – Using legitimate software (CiscoCollabHost.exe) to execute malicious DLLs. ‘Using legitimate software (CiscoCollabHost.exe) to execute malicious DLLs.’

Indicators of Compromise

  • [URL] Redirect landing pages and C2 hosting – hxxps://pubs[.]infinityfreeapp[.]com/SA150_Notes_2024[.]html, hxxps://pubs[.]infinityfreeapp[.]com/IRS_P966[.]html, and other similar pages
  • [URL] Additional landing pages and references – hxxps://pubs[.]infinityfreeapp[.]com/Notice_pour_remplir_la_N%C2%B0_2044[.]html, hxxps://pubs[.]infinityfreeapp[.]com/La_dichiarazione_precompilata_2024[.]html
  • [URL] TryCloudflare tunnels (C2/reachability) – hxxps://ways-sms-pmc-shareholders[.]trycloudflare[.]com, hxxps://recall-addressed-who-collector[.]trycloudflare[.]com
  • [SHA256] Malware and payload components – 3fce52d29d40daf60e582b8054e5a6227a55370bed83c662a8ff2857b55f4cea, 561e15a46f474255fda693afd644c8674912df495bada726dbe7565eae2284fb, 6bdd51dfa47d1a960459019a960950d3415f0f276a740017301735b858019728
  • [File Name] Executables and DLLs used in the chain – CiscoCollabHost.exe, CiscoSparkLauncher.dll, test.png (zip), logo.png (zip)
  • [IP] Hosting/logging infrastructure – 83[.]147[.]243[.]18

Read more

  • Source details are provided below.

Read more: https://www.proofpoint.com/us/blog/threat-insight/malware-must-not-be-named-suspected-espionage-campaign-delivers-voldemort

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint