70 Organizations Have Been Hit by a New Malware Called “Voldemort”
- Cybersecurity researchers at Proofpoint have discovered a new malware called Voldemort that's been terrorizing organizations through phishing emails.
- It has already claimed 70 victims.
- Neither the main attacker nor the objective of the campaign has been identified yet. However cyber espionage is believed to be one of the main goals.
A brand new malware called Voldemort" has been terrorizing organizations across different industries across Europe, Asia, and the US. The organizations belong to different industries such as transportation, insurance, education, and aerospace and it has already claimed 70 victims. However, there's no information about the mastermind behind the campaign yet.
The campaign was first noticed and brought to notice by cybersecurity researchers at Proofpoint who also wrote down a detailed analysis about it.
Image Credit: ProofpointThe attacks started on August 5, 2024, and in less than a month, more than 20,000 malicious emails have been sent out to those 70 organizations, reaching up to 6,000 emails per day during the peak of its attack.
In these emails, the attackers impersonate tax authorities from the organization's country and claim that there's updated tax information. The email also contains attached links to some so-called documents.
Once the victim clicks the link, it takes the user to a landing page hosted on InfinityFree. This page, using Google AMP Cache URLs, redirects the victim to another page that has a button labeled Click To View Document".
- When that button is clicked, the page checks whether the victim is a Windows user. If not, then they are redirected to a harmless, empty Google Drive URL.
- But if the victim is a Windows user, they are redirected to a search-ms URI (Windows Search Protocol) that leads to a TryCloudflare-tunneled URI.
- At this stage, if the victim interacts with the file, it triggers Windows Explorer which displays a LNK or ZIP file disguised as a PDF.This PDF serves as a decoy while the malware begins collecting information from the system.
- At the same time, it also downloads a legitimate Cisco WebEx executable (CiscoCollabHost.exe) and a malicious DLL (CiscoSparkLauncher.dll) that is used to drop Voldemort.
Voldemort's primary use is to deploy commands. It uses Google Sheets as a command and control server (C2) which also doubles up as its stolen data repository.
Commands supported by the malware include:
- Testing the connectivity between the malware and the C2 system
- Uploading files from the C2 server to the target system
- Downloading files from the target system to the C2 servers
- Moving files within the system
- Copying files from the system
- Retrieving a directory from the target system
- Executing any other specific file or command on the system
- Putting the malware into sleep mode
- Terminating the malware when the job is done
Using Google Sheets with the help of Google's API ensures that its C2 channel is highly available and reliable. Plus, it reduces the risk of being detected by security tools.
Since the attacker is yet to be identified. It's hard to say for sure what their motive could be. However, upon examining the pattern, Proofpoint believes that cyber espionage is definitely one of the goals.
Many of the techniques used in the campaign are observed more frequently in the cybercriminal landscape, demonstrating that actors engaging in suspected espionage activity often use the same TTPs as financially motivated threat actors.' - Proofpoint
To protect yourself against these attacks, Proofpoint recommends blocking connections to TryCloudflare (if not needed), restricting access to external file-sharing services, and continuously monitoring for suspicious PowerShell execution.
The post 70 Organizations Have Been Hit by a New Malware Called Voldemort" appeared first on The Tech Report.