A major international cyber-espionage campaign named Voldemort has impacted over 70 organizations in 18 verticals [1], with a quarter of victims being insurance companies [1].
Description
The campaign, which began on August 5, 2024 [1] [3] [4], involves phishing emails impersonating tax authorities from various governments and written in multiple languages. Victims are tricked into clicking on malicious links that install the “Voldemort” backdoor, a custom backdoor written in C with capabilities for information gathering and dropping additional payloads [1]. The malware uses Google Sheets infrastructure for command-and-control [1] [4], data exfiltration [1] [4], and executing commands from the operators [1] [4]. The campaign’s attribution is challenging due to its mix of sophisticated capabilities and basic techniques [1], with features of the backdoor resembling tools used for espionage [1]. Additionally, the activity has been described as aligned to advanced persistent threats (APT) but with “cybercrime vibes” due to the use of techniques popular in the e-crime landscape [4]. Threat actors abuse file schema URIs to access external file sharing resources for malware staging [4], specifically WebDAV and Server Message Block (SMB) [4], by using the schema ‘file://’ and pointing to a remote server hosting malicious content [4]. This approach has been observed in other malware families acting as initial access brokers (IABs) [4], such as Latrodectus [4], DarkGate [4], and XWorm [4]. Proofpoint [2] [3] [4], a cybersecurity research firm [2] [4], was able to identify a total of six victims [4], including one believed to be either a sandbox or a “known researcher.” The campaign targets Windows users globally, with over 20,000 malicious messages sent to more than 70 organizations worldwide [3]. The malware, a custom backdoor called Voldemort [3] [4], is written in C and is capable of gathering information and deploying additional payloads [3] [4]. The campaign utilizes Google Sheets as a command and control platform [3], exploiting the Windows search protocol to display remote files as if they were local [3]. By authenticating with Google Sheets using a client token [3], the malware can read and write data [3], effectively using the platform as a communication channel with the threat actors [3]. The campaign is likely orchestrated by an advanced persistent threat actor focused on intelligence gathering [3], highlighting the growing trend of using cloud services for malicious purposes [3]. This represents a significant evolution in cyberattack strategies [3], combining sophisticated techniques with innovative cloud-based services for malicious purposes [3].
Conclusion
The impact of the Voldemort cyber-espionage campaign on over 70 organizations, particularly insurance companies, underscores the need for enhanced cybersecurity measures. Mitigations should include increased awareness of phishing tactics and the use of multi-factor authentication to prevent unauthorized access. The use of cloud services for malicious purposes highlights the evolving nature of cyber threats and the importance of staying vigilant against advanced persistent threats. Future implications may involve further integration of cloud-based services in cyber-espionage campaigns, necessitating continuous adaptation of cybersecurity defenses to combat evolving threats.
References
[1] https://www.infosecurity-magazine.com/news/scores-organizations-voldemort/
[2] https://www.techradar.com/pro/security/voldemort-espionage-malware-hits-organizations-across-the-globe
[3] https://gbhackers.com/voldemort-abusing-google-sheets/
[4] https://thehackernews.com/2024/08/cyberattackers-exploit-google-sheets.html
