As a result of Proofpoint researchers' research, in August 2024, they discovered an unusual campaign in which custom malware was being delivered by a novel attack chain. Cybercriminals are believed to have named the malware "Voldemort" based on the internal file names and strings used in it.  As part of the attack chain, multiple tactics have been employed, some of which are currently popular in the threat landscape, while others are less common, such as using Google Sheets as a program for command and control (C2). 

It is noteworthy that in addition to tactical, technical, and procedural (TTPs) components, it takes advantage of a lure theme impersonating the government agencies of a variety of countries, and it uses odd file naming and passwords such as "test". Several researchers initially suspected that the activity may be a red team, but analysis of the malware and the number of messages indicated that it was a threat actor very quickly.   

There has been an aggressive malware campaign known as "Voldemort" launched against organizations all over the world, impersonating tax authorities in Europe, Asia, and the U.S. Since the malicious activity was launched on Aug. 5, more than 20,000 phishing messages were reported worldwide by dozens of companies. According to Proofpoint, over 20,000 phishing messages were reported during the last three months. 

A custom backdoor has been written in C and was designed to enable data exfiltration and the deployment of additional malicious payloads, as well as the exfiltration of data itself. The exploit is based on an exploit that takes advantage of a browser extension called 'Google Sheets' to be used as the C2 communication tool for the attack, and files that are infected with a malicious Windows search protocol are used to carry out the attack. 

As soon as the victim downloads the malware, it uses WebEx software to load a DLL that communicates with the C2 server using a legitimate version of WebEx software. There are several attack chains outlined in this attack chain, which include a variety of techniques currently common in the threat landscape, as well as a variety of rarely used methods of command and control (C2) such as the use of Google Sheets. 

Various tactics, techniques, and procedures (TTP) have been applied to it in combination with lure themes impersonating government agencies of various countries as well as its strange file naming and passwords, such as "test". Initial suspicions were that this activity might have been the work of a red team, but the large volume of messages and an analysis of the malware indicated that it was the work of a threat actor very quickly.   

In Proofpoint's assessment, there is a moderate amount of confidence that this is likely the actions of an advanced persistent threat (APT) actor that is seeking to gather intelligence. Although Proofpoint is well-versed in identifying named threat actors, it is still not confident enough with the data available to attribute a specific TA with high certainty. There is no doubt that some aspects of the malware, such as the widespread targeting and characteristics, are associated more often with cybercrime activity, but the nature of the malware does not appear to be motivated by financial gain at this time, but more by espionage.  

Powered by C, Voldemort is a custom backdoor that was written to gather information. As well as the capability to gather information, it also can drop additional payloads on the target. As Proofpoint discovered, Cobalt Strike was being hosted on the actor's infrastructure, and that would likely be one of the payloads that is being delivered by the actor.   There was a significant increase in phishing emails sent daily by the hackers beginning on August 17, when nearly 6,000 emails appeared to be impersonating tax agencies, which was high, according to the researchers. 

In addition to the Internal Revenue Service (IRS) in the United States, the HM Revenue & Customs in the United Kingdom, and the Direction Générale des Finances Publiques in France joined the list of potential regulators. A layer of credibility was added to the lures by crafting the phishing email in the native language of the respective tax authority, adding a high degree of legitimacy to the message. As part of their authenticity, the emails received from what appeared to be compromised domains contained the legitimate domain names of the tax agencies, to make them appear more genuine. 

There is no definitive answer to the overall objective of the campaign, though Proofpoint researchers say it seems likely that the campaign is aimed at espionage, given Voldemort's intelligence-gathering capacities as well as his ability to deploy additional payloads into the mainstream. There are more than half of all targeted organizations fall into the sectors of insurance, aerospace, transportation, and education. 

The threat actor behind this campaign is unknown, but Proofpoint believes that it may be engaged in cyber espionage operations as a means of obtaining information. Likewise, the messages also contain Google AMP Cache URLs that redirect to the landing page on InfinityFree, as well as a direct link to the landing page, which is included in the campaign later on. Towards the bottom of the landing page, there is a button that says "Click to view the document", which when clicked, checks the User Agent or software in the browser. 

When the User Agent contains "Windows," the browser is automatically redirected to a search-ms URI, which points to a TryCloudflare-tunneled URI ending in .search-ms. This redirection prompts the victim to open Windows Explorer, although the specific query responsible for this action remains hidden from the victim, leaving only a popup visible. Concurrently, an image is loaded from a URL ending in /stage1 on an IP address that is managed by the logging service pingb.in. This service enables the threat actor to record a successful redirect and collect additional browser and network information about the victim. 

A distinguishing feature of the Voldemort malware is its use of Google Sheets as a command and control (C2) server. The malware pings Google Sheets to retrieve new commands to execute on the compromised device and to serve as a repository for exfiltrated data. Each infected machine writes its data to specific cells within the Google Sheet, which are often designated by unique identifiers, such as UUIDs. This method ensures that data from different breached systems remains isolated, allowing for more efficient management. 

Voldemort interacts with Google Sheets using Google's API, relying on an embedded client ID, secret, and refresh token, all of which are stored in its encrypted configuration. This strategy offers malware a dependable and widely available C2 channel while minimizing the chances of its network communications being detected by security tools. Given that Google Sheets is commonly used in enterprise environments, blocking this service could be impractical, further reducing the likelihood of detection. 

In 2023, the Chinese advanced persistent threat (APT) group APT41 was observed using Google Sheets as a C2 server, employing the red-teaming GC2 toolkit to facilitate this activity. To defend against such campaigns, security firm Proofpoint recommends several measures: restricting access to external file-sharing services to trusted servers only, blocking connections to TryCloudflare when not actively required, and closely monitoring for suspicious PowerShell executions. These steps are advised to mitigate the risks posed by the Voldemort malware and similar threats.