Cybersecurity researchers have identified a new malware campaign that uses Google Sheets as a command-and-control (C2) channel.
Proofpoint first detected this activity on August 5, 2024. The campaign impersonates tax authorities from various governments in Europe, Asia, and the U.S., aiming to target more than 70 organizations globally with a customized tool called Voldemort, which is designed to collect information and deliver additional malicious payloads.
The targeted sectors include insurance, aerospace, transportation, academia, finance, technology, industrial, healthcare, automotive, hospitality, energy, government, media, manufacturing, telecommunications, and social benefit organizations.
The suspected cyber espionage campaign has not been definitively linked to a known threat actor. It is believed that up to 20,000 emails have been dispatched as part of the attack.
These emails, masquerading as communications from tax authorities in the U.S., U.K., France, Germany, Italy, India, and Japan, notify recipients of updates to their tax filings and prompt them to click on Google AMP Cache URLs, which redirect them to an intermediary landing page.
This page checks the User-Agent string to determine if the operating system is Windows. If so, it uses the search-ms: URI protocol handler to present a Windows shortcut (LNK) file that is disguised as a PDF via Adobe Acrobat Reader, in an attempt to deceive the user into opening it.
“If the LNK file is executed, it triggers PowerShell to run Python.exe from a WebDAV share on a different server, passing a Python script from another shared directory on the same host as an argument,” explained Proofpoint researchers Tommy Madjar, Pim Trouerbach, and Selena Larson.
“This method allows the script to run without downloading any files to the local machine, as the required dependencies are loaded directly from the WebDAV share.”
The Python script is intended to collect system information and send the data as a Base64-encoded string to a domain controlled by the attacker. Afterward, it displays a decoy PDF to the user and downloads a password-protected ZIP file from OpenDrive.
This ZIP file contains two items: a legitimate executable, “CiscoCollabHost.exe“, which is vulnerable to DLL side-loading, and a malicious DLL, “CiscoSparkLauncher.dll” (also known as Voldemort), which is sideloaded.
Voldemort is a custom backdoor written in C that enables data collection and the deployment of additional payloads. The malware utilizes Google Sheets for C2 communication, data exfiltration, and executing commands from the attackers.
Proofpoint characterized the activity as consistent with advanced persistent threats (APT) but with a “cybercrime vibe” due to the use of techniques commonly seen in e-crime.
“Threat actors are exploiting file schema URIs to access external file-sharing resources for malware staging, specifically WebDAV and Server Message Block (SMB),” the researchers noted. “This is done by using the ‘file://’ schema to point to a remote server hosting the malicious content.”
This tactic has become increasingly common among malware families that function as initial access brokers (IABs), such as Latrodectus, DarkGate, and XWorm.
Additionally, Proofpoint was able to examine the Google Sheet’s contents, identifying six victims in total, including one believed to be either a sandbox or a known researcher.
The campaign has been described as unusual, suggesting that the threat actors may have cast a wide net before focusing on a smaller group of targets. It’s also possible that the attackers, who may possess varying levels of technical expertise, intended to compromise several organizations.
“While many aspects of the campaign suggest cybercriminal activity, we believe this is more likely an espionage operation aimed at achieving currently unknown objectives,” the researchers stated.
“The combination of sophisticated and clever techniques with rudimentary methods creates a challenge in accurately gauging the threat actor’s capabilities and definitively determining the ultimate goals of this campaign.”
This development coincides with Netskope Threat Labs’ discovery of an updated version of the Latrodectus malware (version 1.4), which now features a new command-and-control (C2) endpoint and introduces two additional backdoor commands. These commands enable the malware to download shellcode from a designated server and retrieve arbitrary files from a remote location.
“Latrodectus has been evolving rapidly, incorporating new features into its payload,” said security researcher Leandro Fróes. “Understanding these updates allows defenders to properly configure automated defenses and use the information for proactively hunting new variants.”
Source: TheHackerNews
