Cybersecurity researchers have uncovered a novel malware campaign that leverages Google Sheets as a command-and-control (C2) mechanism.
The activity, detected by Proofpoint starting August 5, 2024, impersonates tax authorities from governments in Europe, Asia, and the U.S., with the goal of targeting over 70 organizations worldwide by means of a bespoke tool called Voldemort that’s equipped to gather information and deliver additional payloads.
Targeted sectors include insurance, aerospace, transportation, academia, finance, technology, industrial, healthcare, automotive, hospitality, energy, government, media, manufacturing, telecom, and social benefit organizations.
The suspected cyber espionage campaign has not been attributed to a specific named threat actor. As many as 20,000 email messages have been sent as part of the attacks.
These emails claim to be from tax authorities in the U.S., the U.K., France, Germany, Italy, India, and Japan, alerting recipients about changes to their tax filings and urging them to click on Google AMP Cache URLs that redirect users to an intermediate landing page.
What the page does is inspect the User-Agent string to determine if the operating system is Windows, and if so, leverage the search-ms: URI protocol handler to display a Windows shortcut (LNK) file that uses an Adobe Acrobat Reader to masquerade as a PDF file in an attempt to trick the victim into launching it.
“If the LNK is executed, it will invoke PowerShell to run Python.exe from a third WebDAV share on the same tunnel (library), passing a Python script on a fourth share (resource) on the same host as an argument,” Proofpoint researchers Tommy Madjar, Pim Trouerbach, and Selena Larson said.
“This causes Python to run the script without downloading any files to the computer, with dependencies being loaded directly from the WebDAV share.”
The Python script is designed to gather system information and send the data in the form of a Base64-encoded string to an actor-controlled domain, after which it shows a decoy PDF to the user and downloads a password-protected ZIP file from OpenDrive.
The ZIP archive, for its part, contains two files, a legitimate executable “CiscoCollabHost.exe” that’s susceptible to DLL side-loading and a malicious DLL “CiscoSparkLauncher.dll” (i.e., Voldemort) file that’s sideloaded.
Voldemort is a custom backdoor written in C that comes with capabilities for information gathering and loading next-stage payloads, with the malware utilizing Google Sheets for C2, data exfiltration, and executing commands from the operators.
Proofpoint described the activity as aligned to advanced persistent threats (APT) but carrying “cybercrime vibes” owing to the use of techniques popular in the e-crime landscape.
“Threat actors abuse file schema URIs to access external file sharing resources for malware staging, specifically WebDAV and Server Message Block (SMB). This is done by using the schema ‘file://’ and pointing to a remote server hosting the malicious content,” the researchers said.
This approach has been increasingly prevalent among malware families that act as initial access brokers (IABs), such as Latrodectus, DarkGate, and XWorm.
Furthermore, Proofpoint said it was able to read the contents of the Google Sheet, identifying a total of six victims, including one that’s believed to be either a sandbox or a “known researcher.”
The campaign has been branded unusual, raising the possibility that the threat actors cast a wide net before zeroing in on a small pool of targets. It’s also possible that the attackers, likely with varying levels of technical expertise, planned to infect several organizations.
“While many of the campaign characteristics align with cybercriminal threat activity, we assess this is likely espionage activity conducted to support as yet unknown final objectives,” the researchers said.
“The Frankensteinian amalgamation of clever and sophisticated capabilities, paired with very basic techniques and functionality, makes it difficult to assess the level of the threat actor’s capability and determine with high confidence the ultimate goals of the campaign.”
The development comes as Netskope Threat Labs uncovered an updated version of the Latrodectus (version 1.4) that comes with a new C2 endpoint and adds two new backdoor commands that allow it to download shellcode from a specified server and retrieve arbitrary files from a remote location.
“Latrodectus has been evolving pretty fast, adding new features to its payload,” security researcher Leandro Fróes said. “The understanding of the updates applied to its payload allows defenders to keep automated pipelines properly set as well as use the information for further hunting for new variants.”