An advanced malware campaign, identified by cybersecurity researchers at Proofpoint in August 2024, has raised alarms across various sectors worldwide. The malware, dubbed “Voldemort,” is believed to be part of a suspected cyber espionage operation, targeting organizations in sectors such as aerospace, insurance, and education. What makes Voldemort particularly concerning is its novel method of exfiltrating data—through the use of Google Sheets as a command and control (C2) server.
The campaign was first detected in early August, with attackers disseminating over 20,000 phishing emails to targeted organizations. These emails, impersonating tax authorities from the victims’ respective countries, contained links leading to malicious websites. Once the link was clicked, users were redirected to a series of deceptive web pages, eventually leading to the download of the Voldemort malware.
Voldemort is a sophisticated backdoor, written in C, that offers a range of functionalities including file management, command execution, and data exfiltration. One of the most distinctive features of Voldemort is its ability to use Google Sheets not just for command and control but also for storing stolen data. By exploiting Google’s API with embedded client credentials, the malware communicates with Google Sheets, where it writes exfiltrated data into specific cells.
This method of using a legitimate cloud service as a C2 server is not just innovative but also highly effective in evading detection by traditional security tools. Since Google Sheets is a trusted platform, communication between the infected system and the Sheets API often goes unnoticed by network security measures. This reduces the likelihood of the malware being flagged by security systems, allowing the attackers to maintain persistence within the compromised networks.
The campaign has not been attributed to any known threat actor, but the scale and sophistication suggest that it could be the work of an advanced persistent threat (APT) group. The malware’s ability to impersonate tax authorities in phishing emails highlights the attackers’ use of social engineering to increase the likelihood of successful intrusions.
As this campaign continues to evolve, cybersecurity experts are urging organizations to heighten their vigilance, particularly by enhancing their phishing defenses and monitoring unusual traffic to cloud services like Google Sheets. The use of such a widely trusted platform for malicious activities underscores the need for continuous adaptation in cybersecurity strategies.
