A new malware campaign is spreading the previously undocumented backdoor “Voldemort” worldwide, impersonating tax agencies from the U.S., Europe, and Asia. According to Proofpoint, the campaign started on August 5, 2024, and has already targeted over 70 organizations with over 20,000 emails.
The threat actor behind this campaign is unknown, but Proofpoint believes the primary objective is to conduct cyber espionage. The malware uses phishing emails that impersonate tax authorities from the target organization’s country, stating there is updated tax information and including links to associated documents.
When clicked, these links redirect victims to a landing page hosted on InfinityFree, which then redirects them to a page with a “Click to view document” button. Upon clicking this button, the malware checks the browser’s User Agent and if it’s for Windows, redirects the target to a search-ms URI that points to a TryCloudflare-tunneled URI.
The malware also abuses Google Sheets as a command and control server (C2), using an embedded client ID, secret, and refresh token to interact with Google Sheets. This allows the malware to write stolen data to specific cells within the sheet, which can be designated by unique identifiers like UUIDs.
To defend against this campaign, Proofpoint recommends limiting access to external file-sharing services to trusted servers, blocking connections to TryCloudflare if not actively needed, and monitoring for suspicious PowerShell execution.
Source: https://www.bleepingcomputer.com/news/security/new-voldemort-malware-abuses-google-sheets-to-store-stolen-data/