Cybersecurity researchers have recently identified a sophisticated malware campaign exploiting Google Sheets as a command-and-control (C2) mechanism. First detected by Proofpoint on August 5, 2024, this campaign impersonates tax authorities from various countries to target over 70 organizations globally. The attackers deploy a custom malware tool called Voldemort, which gathers information and delivers additional malicious payloads.
The Campaign's Targets and Tactics
The campaign's victims span multiple sectors, including:
- Insurance
- Aerospace
- Transportation
- Academia
- Finance
- Technology
- Industrial
- Healthcare
- Automotive
- Hospitality
- Energy
- Government
- Media
- Manufacturing
- Telecom
- Social benefit organizations
In total, around 20,000 emails have been sent to targets, masquerading as communications from tax authorities in countries such as the U.S., U.K., France, Germany, Italy, India, and Japan. The emails prompt recipients to click on Google AMP Cache URLs, redirecting them to an intermediate landing page designed to inspect the user's operating system. If it detects a Windows OS, it uses the search-ms: URI protocol handler to display a Windows shortcut (LNK) file. This file uses Adobe Acrobat Reader to appear as a PDF, deceiving victims into executing it.
The Malware Delivery Process
Once the LNK file is executed, it initiates a series of commands to run PowerShell scripts that load Python from a remote WebDAV share. This process involves:
- Running Python.exe from a third WebDAV share on the same network tunnel.
- Passing a Python script from a fourth share to Python.exe as an argument.
- Executing the script without downloading files to the local machine, with dependencies loaded directly from the WebDAV share.
The Python script collects system information and sends the data as a Base64-encoded string to a domain controlled by the attackers. Subsequently, the script displays a decoy PDF to the user and downloads a password-protected ZIP file from OpenDrive. This ZIP file contains:
- A legitimate executable, "CiscoCollabHost.exe," vulnerable to DLL side-loading.
- A malicious DLL, "CiscoSparkLauncher.dll," which is the Voldemort malware.
Voldemort: A Backdoor with Advanced Capabilities
Voldemort is a backdoor written in C, designed to conduct information gathering and load additional payloads. Notably, it leverages Google Sheets for its command-and-control operations, using the platform for data exfiltration and executing commands. The use of Google Sheets indicates a novel approach in malware C2 infrastructure, complicating detection and mitigation efforts.
Advanced Persistent Threat or Cybercrime?
Although Proofpoint describes the malware activity as resembling Advanced Persistent Threats (APT), it also exhibits characteristics typical of cybercrime operations. The campaign's use of file schema URIs to access external file-sharing resources for malware staging, particularly WebDAV and Server Message Block (SMB), is a tactic increasingly seen in other malware families like Latrodectus, DarkGate, and XWorm.
Uncertain Attribution and Goals
While the campaign aligns with cybercriminal activity, researchers have not definitively attributed it to a specific threat actor. The scale of the campaign and the variety of sectors targeted suggest that the attackers aimed to infect a broad range of organizations before focusing on a smaller group. The attackers' ultimate objectives remain unclear, making it challenging to determine their level of sophistication and capability.
The discovery of this malware campaign highlights the evolving tactics used by cyber threat actors, including leveraging legitimate platforms like Google Sheets for malicious purposes. As the line between state-sponsored espionage and cybercrime continues to blur, organizations must remain vigilant, adopt robust cybersecurity measures, and educate employees about recognizing phishing attempts and suspicious activities. The integration of advanced detection tools and practices will be crucial in defending against such multifaceted threats.
