Analysis Summary

Under the guise of tax agencies from the United States, Europe, and Asia, a fresh malware campaign is infecting businesses globally with "Voldemort", a backdoor that had not been reported until recently.

The campaign began on August 5, 2024, and has since distributed over 20,000 emails to over 70 targeted organizations, reaching 6,000 in a single day during its busiest period. The insurance, aerospace, transportation, and educational industries employ more than half of all the targeted firms. Although the threat actor responsible for this campaign is unknown, researchers think that cyber espionage is the most likely goal.

According to a recent analysis, the attackers are customizing phishing emails to fit the location of a targeted firm by using publicly available data. The phishing emails pretend to be tax officials from the nation where the firm is based, claiming to have up-to-date tax information along with links to related documents. After clicking the link, victims are taken to an InfinityFree landing page, which employs Google AMP Cache URLs to reroute the victim to a page featuring a "Click to view document" button.

Upon clicking the button, the webpage will verify the User Agent of the browser and, if it is Windows-specific, will reroute the user to a search-ms URI (Windows Search Protocol) that leads to a URI that has been tunneled by TryCloudflare. Users of Windows are forwarded to an empty Google Drive URL that does not contain any dangerous content. The victim will see an LNK or ZIP file masquerading as a PDF in Windows Explorer if they interact with the search-ms file.

URI in phishing campaigns has grown in popularity recently because, despite being hosted on an external WebDAV/SMB share, the file is disguised to look local in the Downloads folder to fool the victim into opening it. By doing this, a Python script that gathers system information to profile the victim is executed from another WebDAV share without being downloaded to the host. To hide the harmful activities, a bogus PDF is displayed simultaneously.

To load Voldemort via DLL side-loading, the script additionally downloads a malicious DLL (CiscoSparkLauncher.dll) and a legitimate Cisco WebEx program (CiscoCollabHost.exe). Voldemort is a C-based backdoor that may be used to perform a variety of commands and file management tasks, such as file deletion, exfiltration, and adding new payloads to the system.

One noteworthy aspect of Voldemort is that it makes use of Google Sheets as a storage for stolen data and as a command and control server (C2) by pinging it to obtain fresh orders to be executed on the compromised device. The compromised systems are isolated and easier to monitor when the data from each compromised machine is written to designated cells in the Google Sheet, which can be identified by UUIDs.

To connect with Google Sheets, which are saved in an encrypted configuration, Voldemort uses Google's API with an embedded client ID, secret, and refresh token. In addition to giving the malware a dependable and highly available C2 channel, this method lessens the chance that network traffic may be detected by security systems. Because Google Sheets is widely utilized in businesses, it is also impractical to stop the service.

The Chinese threat group APT41 was previously observed in 2023 utilizing the red-teaming GC2 toolset to use Google Sheets as a command and control server. Experts advise disabling connections to TryCloudflare while not in use, restricting access to trustworthy servers for external file-sharing services, and keeping an eye out for questionable PowerShell execution to combat this campaign.

Impact

• Identity Theft
• Sensitive Information Theft
• Data Exfiltration
• Command Execution

Indicators of Compromise

SHA1

• 5d3749d0aa0102cde8d7859b784eb4474d00845c
• 9618906883d567bfe78dfdaf163dfa262104e7a2

URL

• https://pubs.infinityfreeapp.com/SA150_Notes_2024.html
• https://pubs.infinityfreeapp.com/IRS_P966.html
• https://pubs.infinityfreeapp.com/Notice_pour_remplir_la_N%C2%B0_2044.html
• https://pubs.infinityfreeapp.com/La_dichiarazione_precompilata_2024.html
• https://pubs.infinityfreeapp.com/Steuerratgeber.html
• https://od.lk/s/OTRfNzQ5NjQwOTJf/test.png
• https://od.lk/s/OTRfODQ1Njk2ODVf/2044_4765.pdf
• https://od.lk/s/OTRfODM5Mzc3NjFf/irs-p966.pdf
• https://od.lk/s/OTRfODM3MjM2NzVf/La_dichiarazione_precompilata_2024.pdf
• https://od.lk/s/OTRfODQ1NDc2MjZf/SA150_Notes_2024.pdf
• https://od.lk/s/OTRfODQ1NzA0Mjlf/einzelfragen_steuerbescheinigungen_de.pdf
• http://83.147.243.18/p/
• https://sheets.googleapis.com/v4/spreadsheets/16JvcER-0TVQDimWV56syk91IMCYXOvZbW4GTnb947eE/
• https://resource.infinityfreeapp.com/ABC_of_Tax.html
• https://resource.infinityfreeapp.com/0023012-317.html
• https://od.lk/s/OTRfODQ4ODE4OThf/logo.png
• https://od.lk/s/OTRfODQ5MzQ5Mzlf/ABC_of_Tax.pdf

Remediation

• Block all threat indicators at your respective controls.
• Search for indicators of compromise (IOCs) in your environment utilizing your respective security controls.
• Emails from unknown senders should always be treated with caution.
• Never trust or open links and attachments received from unknown sources/senders.
• Maintain cyber hygiene by updating your anti-virus software and implementing a patch management lifecycle.
• Enable antivirus and anti-malware software and update signature definitions on time. Using multi-layered protection is necessary to secure vulnerable assets.
• Maintain daily backups of all computer networks and servers.
• Keep operating systems and software up to date as threat actors often exploit vulnerabilities in software and operating systems. Keeping these up to date can help prevent vulnerabilities from being exploited.
• Implementing strong password policies and multifactor authentication can make it more difficult for attackers to gain access.
• Provide regular security awareness training for employees that can help them recognize phishing emails and other types of social engineering attacks that are commonly used to spread malware.