TLDR:
Key Points:
- Cyber attackers are using Google Sheets as a command-and-control mechanism in a malware campaign targeting various organizations.
- The campaign impersonates tax authorities from multiple countries and utilizes a bespoke tool called Voldemort for information gathering and payload delivery.
In a recent cybersecurity development, researchers have discovered a novel malware campaign that exploits Google Sheets as a command-and-control (C2) mechanism. The campaign, identified by Proofpoint on August 5, 2024, masquerades as tax authorities from governments in Europe, Asia, and the U.S., with a focus on targeting over 70 organizations globally. The attackers utilize a custom tool named Voldemort to collect information and deploy additional payloads.
The cyber espionage campaign, suspected to involve advanced persistent threats (APTs), has sent out as many as 20,000 emails posing as tax authorities from various countries. These emails prompt recipients to click on Google AMP Cache URLs, leading them to an intermediate page that, when accessed from a Windows system, triggers a series of events to execute malicious activities.
The attackers employ a Python script through PowerShell to collect system information, send it to an actor-controlled domain, and then download a password-protected ZIP file containing a backdoor known as Voldemort. This custom backdoor, written in C, uses Google Sheets for C2 communication, data exfiltration, and command execution. The campaign’s amalgamation of sophisticated capabilities and basic techniques indicates a blend of cybercrime and espionage motives.