August 30, 2024 at 09:45AM
Researchers have discovered a sophisticated malware campaign using Google Sheets for command-and-control activities. The campaign targets various organizations worldwide, impersonating tax authorities to distribute a bespoke information-gathering tool called Voldemort. The malware utilizes advanced techniques while also exhibiting characteristics of cybercrime activity. Proofpoint experts believe the campaign is likely espionage-driven with unclear final objectives.
Key Takeaways from the Meeting Notes:
1. Cybersecurity researchers have identified a sophisticated malware campaign using Google Sheets as a command-and-control (C2) mechanism to target over 70 organizations worldwide.
2. The campaign impersonates tax authorities from governments in Europe, Asia, and the U.S. and has not been attributed to a specific named threat actor.
3. The malware campaign involves sending emails with Google AMP Cache URLs that redirect users to an intermediate landing page, intending to trick victims into launching a malicious LNK file.
4. Once the LNK file is executed, it invokes PowerShell to run Python.exe from a WebDAV share, enabling the gathering of system information and sending it to an actor-controlled domain.
5. The decoy PDF shown to the user downloads a password-protected ZIP file from OpenDrive, containing a legitimate executable “CiscoCollabHost.exe” susceptible to DLL side-loading and a malicious DLL “CiscoSparkLauncher.dll” (i.e., Voldemort) file.
6. Voldemort is a custom backdoor written in C, utilizing Google Sheets for C2, data exfiltration, and executing commands from the operators.
7. The campaign has been classified as aligned with advanced persistent threats (APT) but also shows “cybercrime vibes” due to the use of techniques popular in the e-crime landscape.
8. Researchers have identified six victims, with the possibility that the threat actors cast a wide net before focusing on a small pool of targets.
9. Netskope Threat Labs uncovered an updated version of the Latrodectus (version 1.4), adding new C2 endpoint and backdoor commands for downloading shellcode and retrieving files from remote locations.
10. The campaign’s amalgamation of sophisticated capabilities and basic techniques makes it difficult to assess the threat actor’s capability and ultimate goals with high confidence.
If you have any specific questions or need further details, feel free to ask.