TLDR:
– Cybersecurity researchers at Proofpoint identified a new malware campaign in August 2024 called ‘Voldemort’ that utilizes Google Sheets to store stolen data.
– The malware campaign involved the deployment of custom malware that gathers intelligence and drops other malicious files.
Cybersecurity researchers at Proofpoint recently discovered a new malware campaign in August 2024 involving the use of Google Sheets to store stolen data. The campaign, known as ‘Voldemort,’ utilizes the trusted platform and collaboration features of Google Sheets to covertly transmit stolen data or execute malicious scripts. The attack sequence consists of a mix of common techniques within the threat landscape, making it rare for C2 activities involving Google Sheets.
The actor’s infrastructure served as a host for the cobalt strike most probably as one of the payloads that will be dropped. For the first time, the researchers thought the activities might be from a red team. However, due to the volume of correspondence and malware analysis, they attributed an APT whose purpose is to gather intelligence, but they cannot name the actor. The attack campaign intensified significantly on 5 August 2024, with over 20,000 messages being sent across more than 70 organizations. The threat actors utilized various techniques to redirect users to malicious URLs and execute malicious files on victim’s machines.
The analysis also revealed that the majority of the infections were detected in sandboxes or known researchers. The threat actor’s use of Google Sheets as a communication protocol exposed a standard Google API leverage and resulted in the discovery of client ID and client secret, enabling reading data from Google Sheets. Additionally, further investigation into Google Drive revealed additional artifacts, including executables prone to DLL sideloading attacks.