Voldemort Malware Exploiting Google Sheets

Voldemort Malware Exploiting Google Sheets

DOWNLOAD PDF

SUMMARY

A new malware campaign was recently identified, which leverages Google Sheets as a command-and-control (C2) platform. This campaign impersonates a tax authority from government agencies across Europe, Asia, and the United States. The threat actors are targeting more than 70 organizations worldwide, utilizing a custom-made tool named Voldemort. This tool is specifically engineered to exfiltrate data and deploy additional malicious payloads. The campaign’s scope spans a wide array of sectors, including insurance, aerospace, transportation, academia, finance, technology, industrial manufacturing, healthcare, automotive, hospitality, energy, government, media, telecommunications, and social welfare organizations.

THREAT ADVISORY

TECHNICAL DETAILS

A recent report by Proofpoint highlights a sophisticated phishing campaign in which attackers craft emails tailored to the geographic location of the targeted organization, utilizing publicly available information.  These emails impersonate communications from the organization’s national tax authority, purportedly providing updated tax information and including links to relevant documents.  When recipients click on the provided link, they are redirected to a landing page hosted on InfinityFree, with the page URL masked by Google AMP Cache.  The page features a “Click to view document” button, which, upon interaction, checks the browser’s User Agent.  If the browser is running on a Windows operating system, the victim is redirected to a search-ms URI (Windows Search Protocol) linked to a URI tunneled through TryCloudflare.  Alternatively, users operating on non-Windows platforms are directed to an empty Google Drive URL, which does not deliver any malicious content.

 

When the victim interacts with the search-ms file, Windows Explorer is activated, presenting a LNK or ZIP file that is deceptively labeled as a PDF document.  The use of the search-ms URI in recent phishing campaigns has become increasingly common due to its ability to mislead victims into believing that the file resides locally in their Downloads folder, when in fact it is hosted on an external WebDAV/SMB share.  Opening this file initiates the execution of a Python script from another WebDAV share, without actually downloading it to the host machine.  This script profiles the victim by collecting system information, all while displaying a decoy PDF to obscure its malicious operations. Concurrently, the script downloads a legitimate Cisco WebEx executable (CiscoCollabHost.exe) alongside a malicious DLL (CiscoSparkLauncher.dll), which subsequently loads the Voldemort malware through DLL side-loading.

 

Voldemort, a backdoor developed in C, offers a comprehensive array of commands and file management capabilities, including data exfiltration, deployment of additional payloads, and file deletion.  A notable aspect of Voldemort is its utilization of Google Sheets as its command and control (C2) server.  The malware periodically contacts Google Sheets to receive new commands and uploads exfiltrated data into specific cells within the spreadsheet.  These cells are identified using unique identifiers, such as UUIDs, to enable efficient management and isolation of compromised systems. Voldemort communicates with Google Sheets via Google’s API, utilizing an embedded client ID, secret, and refresh token stored in its encrypted configuration.  This approach provides a highly reliable and resilient C2 channel, minimizing the likelihood of network communication being detected by security systems. Additionally, the pervasive use of Google Sheets in enterprise settings makes it impractical to block the service, thereby enhancing the malware’s stealth capabilities.

 

INDICATORS OF COMPROMISE (IOCs)

  • hxxps://pubs[.]infinityfreeapp[.]com/SA150_Notes_2024[.]html
  • hxxps://pubs[.]infinityfreeapp[.]com/IRS_P966[.]html
  • hxxps://pubs[.]infinityfreeapp[.]com/Notice_pour_remplir_la_N%C2%B0_2044[.]html
  • hxxps://pubs[.]infinityfreeapp[.]com/La_dichiarazione_precompilata_2024[.]html
  • hxxps://pubs[.]infinityfreeapp[.]com/Steuerratgeber[.]html
  • hxxps://od[.]lk/s/OTRfNzQ5NjQwOTJf/test[.]png
  • hxxps://od[.]lk/s/OTRfODQ1Njk2ODVf/2044_4765[.]pdf
  • hxxps://od[.]lk/s/OTRfODM5Mzc3NjFf/irs-p966[.]pdf
  • hxxps://od[.]lk/s/OTRfODM3MjM2NzVf/La_dichiarazione_precompilata_2024[.]pdf
  • hxxps://od[.]lk/s/OTRfODQ1NDc2MjZf/SA150_Notes_2024[.]pdf
  • hxxps://od[.]lk/s/OTRfODQ1NzA0Mjlf/einzelfragen_steuerbescheinigungen_de[.]pdf
  • hxxps://sheets[.]googleapis[.]com:443/v4/spreadsheets/16JvcER[1]0TVQDimWV56syk91IMCYXOvZbW4GTnb947eE/
  • hxxps://resource[.]infinityfreeapp[.]com/ABC_of_Tax[.]html
  • hxxps://resource[.]infinityfreeapp[.]com/0023012-317[.]html
  • hxxps://od[.]lk/s/OTRfODQ4ODE4OThf/logo[.]png
  • hxxps://od[.]lk/s/OTRfODQ5MzQ5Mzlf/ABC_of_Tax[.]pdf
  • hxxp://83[.]147[.]243[.]18/p/
  • pants-graphs-optics-worse[.]trycloudflare[.]com
  • ways-sms-pmc-shareholders[.]trycloudflare[.]com
  • recall-addressed-who-collector[.]trycloudflare[.]com
  • invasion-prisoners-inns-aging[.]trycloudflare[.]com
  • 0b3235db7e8154dd1b23c3bed96b6126d73d24769af634825d400d3d4fe8ddb9
  • 3fce52d29d40daf60e582b8054e5a6227a55370bed83c662a8ff2857b55f4cea
  • 561e15a46f474255fda693afd644c8674912df495bada726dbe7565eae2284fb
  • 6bdd51dfa47d1a960459019a960950d3415f0f276a740017301735b858019728
  • fa383eac2bf9ad3ef889e6118a28aa57a8a8e6b5224ecdf78dcffc5225ee4e1f

 

 RECOMMENDATIONS

  • Implement advanced email filtering to detect and block phishing emails, especially those impersonating trusted entities like tax authorities.
  • Regularly train employees on how to recognize phishing attempts and suspicious links, particularly those that redirect to unexpected domains.
  • Use network monitoring tools to detect unusual traffic patterns, such as unexpected communication with Google Sheets or other cloud-based services.
  • Deploy and update endpoint detection and response (EDR) solutions to identify and block malicious scripts, unusual process executions, and unauthorized file activities.
  • Limit the execution of macros, scripts, and URI protocols like search-ms, which can be exploited by malware to deliver payloads.
  • Ensure that access to cloud services like Google Sheets is monitored and controlled through security policies and access restrictions.
  • Keep all software, especially operating systems and productivity tools, updated to protect against known vulnerabilities.

 

REFERENCES

 

Voldemort Malware Exploiting Google Sheets

Critical Vulnerability in SonicWall Firewalls Allows Unauthorized Access

DOWNLOAD PDF

Summary

SonicWall issued patches for a critical vulnerability (CVE-2024-40766) affecting its firewalls.  The flaw could allow unauthorized access and potentially crash the device if exploited.

 

Risk Score

CVE-ID                                 CVSSv3

CVE-2024-40766                9.3

 

VULNERABILITY DETAILS

This critical CVE-2024-40766 could lead to unauthorized access to the devices. This vulnerability stems from improper access control within the SonicOS management interface, potentially leading to unauthorized resource access and, under specific conditions, causing the firewall to crash.

The vulnerability severity score is 9.3, due to its network-based attack vector, low attack complexity, and the fact that it requires neither authentication nor user interaction to be exploited.

 

AFFECTED PRODUCTS

  • SonicWall Firewall Gen 5 devices (SOHO): 5.9.2.14-12o and older versions
  • SonicWall Firewall Gen 6 devices: 6.5.4.14-109n and older versions
  • SonicWall Firewall Gen 7 devices running SonicOS 7.0.1-5035 and earlier versions

 

RECOMMENDATIONS

  • Apply the latest security patches released by SonicWall.
    • SOHO (Gen 5 Firewalls) – 5.9.2.14-13o
    • Gen 6 Firewalls – 6.5.2.8-2n (for SM9800, NSsp 12400, and NSsp 12800)
    • Gen 6 Firewalls – 6.5.4.15.116n (for other Gen 6 Firewall appliances)
    • Note: Any SonicOS version higher than 7.0.1-5035 for Gen 7 devices. (This vulnerability is not reproducible in SonicOS firmware version higher than 7.0.1-5035. However, SonicWall recommends to install the latest firmware.)
  • If immediate patching is not possible, restrict firewall management access to trusted sources.
  • Disable firewall WAN management access from internet sources as an additional precaution.
  • Keep an eye on firewall logs and monitor for any unusual access attempts or crashes

 

REFERENCES

Voldemort Malware Exploiting Google Sheets

Lazarus Group Exploits Windows Driver Zero-Day to Deploy Rootkit

DOWNLOAD PDF

SUMMARY

The Lazarus hacking group exploited a zero-day vulnerability in the Windows AFD.sys driver (CVE-2024-38193) to elevate privileges and install the FUDModule rootkit. This vulnerability, patched in August 2024, allowed attackers to evade detection by disabling Windows monitoring features. The flaw was used in a targeted campaign, potentially linked to attacks on Brazilian cryptocurrency professionals.

 

TECHNICAL DETAILS

The Lazarus hacking group is infamous for large-scale cyberheists targeting financial and cryptocurrency firms to fund North Korea’s weapons programs. In 2022, the US linked them to a $617 million cryptocurrency theft from Axie Infinity and offers up to $5 million for information on their activities.

 

The notorious North Korean Lazarus hacking group leveraged the zero-day flaw in the Windows Ancillary Function Driver for WinSock (AFD.sys), identified as CVE-2024-38193, to execute a Bring Your Own Vulnerable Driver (BYOVD) attack. This vulnerability allowed them to gain kernel-level privileges, enabling the installation of the FUDModule rootkit, which is designed to evade detection by disabling Windows monitoring mechanisms. The AFD.sys driver, a default component on all Windows devices, made this attack particularly dangerous, as it required no additional vulnerable drivers that could be easily blocked or detected by Windows.

 

The attack was uncovered by Gen Digital researchers in June 2024 and is believed to be connected to a larger campaign in Brazil, where North Korean hackers, identified as PUKCHONG (UNC4899), targeted cryptocurrency professionals. The attackers used social engineering tactics, including fake job opportunities, to deliver a trojanized Python application that ultimately led to the installation of malware.

 

The AFD.sys vulnerability was one of several zero-day flaws patched by Microsoft in August 2024. The Lazarus group has a history of exploiting similar vulnerabilities, including the Windows appid.sys and Dell dbutil_2_3.sys kernel drivers, to install the FUDModule rootkit in previous BYOVD attacks.

 

INDICATORS OF COMPROMISE (IOCs)

AVAST’s IOC Github has a YARA module – ioc/FudModule at master · avast/ioc · GitHub

 

RECOMMENDATIONS

  • Ensure all systems are updated with the latest security patches, including the August 2024 Patch Tuesday update.
  • Implement advanced monitoring solutions to detect unusual behavior related to drivers and kernel-level activities.
  • Maintain strict control over driver installations, allowing only trusted and verified drivers.
  • Employ endpoint protection solutions that can block the execution of known vulnerable drivers.
  • Utilize application whitelisting to prevent unapproved executables, including vulnerable drivers, from running.
  • Segment networks to limit the impact of any potential breaches, reducing the attack surface available to threat actors.
  • Conduct regular security awareness training to ensure employees are aware of the latest phishing and social engineering tactics used by groups like Lazarus.

 

REFERENCES