Voldemort Malware Unveiled: New Attack Chain Discovered
In August of this year, researchers from Proofpoint uncovered an unusual campaign distributing malware, which the attackers have dubbed Voldemort. This malware is suspected of engaging in espionage, possessing capabilities for information gathering and the downloading of additional components.
The identified malicious campaign is distinguished by its unconventional methods, including the use of Google Sheets to facilitate C2 (Command and Control) functionality, a rarity in similar malicious operations. The attackers impersonated tax authorities from various countries, including the United States, the United Kingdom, France, Germany, Italy, India, and Japan, and sent fraudulent notifications of tax changes to organizations worldwide.
Since August 5, 2024, the attackers have sent over 20,000 messages to 70 organizations globally. At the peak of the attack, on August 17, the number of messages surged to 6,000 per day. According to Proofpoint, the primary objective of the attackers appears to be intelligence gathering, although their ultimate goals remain unclear.
“Voldemort” is written in C and employs various techniques to conceal its activity, including disguising itself as ordinary files and executing through PowerShell without leaving traces on the victim’s computer. Notably, the malware utilizes legitimate tools, such as “CiscoCollabHost.exe,” to perform its functions.
The campaign is marked by the application of techniques characteristic of both cyber espionage and cybercrime. The attackers employ tactics such as exploiting files with the “.search-ms” extension to obfuscate their activity and mislead victims about the source of the threat.
Despite the scale and complexity of the attack, Proofpoint has not been able to definitively attribute the activity to any specific group. Experts speculate that it could be the work of a new or little-known group with both basic and advanced skills.
The “Voldemort” malware actively utilizes Google Sheets for data exchange between infected systems and the command server, making it unique in its approach. At the same time, the use of such tools highlights that even espionage groups can adopt techniques typical of cybercriminals, complicating their detection and attribution.
Experts recommend that organizations take measures to strengthen their defenses, including restricting access to external file storage and blocking suspicious network connections.
