Suspected Espionage Campaign Delivers "Voldemort" Malware Impersonating Tax Authorities
Proofpoint released a threat insight report detailing an unusual campaign delivering custom malware named "Voldemort". Researchers assess with moderate confidence that the goal of this activity is espionage.
Introduction
On August 29, 2024, Proofpoint released a threat insight report detailing an unusual campaign delivering custom malware named "Voldemort". Researchers assess with moderate confidence that the goal of this activity is espionage.
The campaign impersonated tax authorities from governments in Europe, Asia, and the U.S., targeting dozens of organizations worldwide. Voldemort has capabilities for intelligence gathering and delivering additional payloads. Its attack chain uses both common and uncommon techniques, including Google Sheets for command and control (C2) and saved search files on external shares.
Report Overview
Beginning on August 5, 2024, the campaign included over 20,000 messages impacting more than 70 organizations globally. Messages purported to be from various tax authorities, notifying recipients about changes to their tax filings. Each lure was customized and written in the language of the impersonated authority.
The attack chain begins with Google AMP Cache URLs redirecting to landing pages hosted on InfinityFree. Clicking a link on these pages leads to a series of redirects and checks, ultimately resulting in the execution of the Voldemort malware.
Voldemort is a custom backdoor written in C with capabilities for information gathering and dropping additional payloads. It uses Google Sheets for C2, data exfiltration, and executing commands from operators. The malware also leverages DLL side-loading techniques for execution.
Insights and Analysis
Proofpoint does not attribute this activity to a specific threat actor. While many campaign characteristics align with cybercriminal activity, researchers assess this is likely espionage activity conducted to support unknown final objectives.
To defend against these threats, organizations should:
- Restrict access to external file sharing services to only known, safelisted servers
- Block network connections to TryCloudflare if not required for business purposes
- Monitor and alert on use of search-ms in scripts and suspicious follow-on activity such as LNK and PowerShell execution
This campaign demonstrates that actors engaging in suspected espionage activities often use the same tactics, techniques, and procedures as financially motivated threat actors. Organizations should remain on high alert and implement a defence in depth approach to security measures to protect against such sophisticated threats.
Indicators of Compromise (IOCs)
| Indicator | Type | Description |
|---|---|---|
| hxxps://pubs[.]infinityfreeapp[.]com/SA150_Notes_2024[.]html | URL | Redirect Target / Landing Page |
| hxxps://od[.]lk/s/OTRfNzQ5NjQwOTJf/test[.]png | URL | Python Payload (Renamed ZIP containing Voldemort) |
| hxxp://83[.]147[.]243[.]18/p/ | URL | pingb.in base URL |
| 3fce52d29d40daf60e582b8054e5a6227a55370bed83c662a8ff2857b55f4cea | SHA256 | test.png/zip |
| 561e15a46f474255fda693afd644c8674912df495bada726dbe7565eae2284fb | SHA256 | CiscoSparkLauncher.dll (Voldemort Malware) |
| pants-graphs-optics-worse[.]trycloudflare[.]com | Domain | TryCloudflare Tunnel Hostname |
| hxxps://sheets[.]googleapis[.]com:443/v4/spreadsheets/16JvcER-0TVQDimWV56syk91IMCYXOvZbW4GTnb947eE/ | URL | Voldemort C2 |
MITRE ATT&CK Table
| Tactic | Technique | ID | Description |
|---|---|---|---|
| Initial Access | Phishing | T1566 | The campaign used emails impersonating tax authorities to deliver malicious content |
| Execution | User Execution | T1204 | The attack relies on users clicking links in phishing emails |
| Defense Evasion | Masquerading | T1036 | The malware masquerades as legitimate Cisco software |
| Command and Control | Application Layer Protocol | T1071 | The malware uses Google Sheets API for command and control |
| Exfiltration | Exfiltration Over C2 Channel | T1041 | The malware exfiltrates data using the same Google Sheets channel used for C2 |
References
August 29, 2024 Tommy Madjar, Pim Trouerbach, Selena Larson and the Proofpoint Threat Research Team
Comments ()