The attackers are posing as tax authorities from countries like the U.S., U.K., France, Germany, Italy, India, and Japan. They have sent out as many as 20,000 phishing emails, falsely claiming updates to tax filings
Researchers from cybersecurity enterprise Proofpoint have uncovered a sophisticated malware campaign that is leveraging Google Sheets as a command-and-control (C2) mechanism. The campaign, which began on August 5, 2024, has already targeted over 70 organizations worldwide across various sectors, including insurance, aerospace, finance, technology, and healthcare, among others.
The attackers are posing as tax authorities from countries like the U.S., U.K., France, Germany, Italy, India, and Japan. They have sent out as many as 20,000 phishing emails, falsely claiming updates to tax filings. These emails contain Google AMP Cache URLs that redirect recipients to an intermediate landing page. The landing page examines the User-Agent string to determine if the operating system is Windows. If so, it utilises the search-ms: URI protocol handler to display a Windows shortcut (LNK) file. The file, disguised as a PDF using Adobe Acrobat Reader, is designed to deceive users into executing it.
If the LNK file is opened, it triggers PowerShell to execute Python.exe from a WebDAV share, with the Python script also being loaded from another WebDAV share. This approach allows the Python script to run without downloading files onto the victim’s computer, thereby making detection more difficult. The script gathers system information and sends it, encoded in Base64, to a domain controlled by the attackers. Following this, a decoy PDF is displayed to the user, and a password-protected ZIP file is downloaded from OpenDrive.
The ZIP file contains a legitimate executable, “CiscoCollabHost.exe,” which is vulnerable to DLL side-loading. Alongside this, it includes a malicious DLL named “CiscoSparkLauncher.dll,” also known as Voldemort. Voldemort is a custom backdoor written in C, designed for information gathering and loading additional payloads. What makes this malware particularly concerning is its use of Google Sheets for C2 operations, data exfiltration, and executing commands from its operators.
Proofpoint researchers Tommy Madjar, Pim Trouerbach, and Selena Larson have described the activity as aligned with advanced persistent threats (APT) but noted its similarities with cybercrime tactics. “Threat actors abuse file schema URIs to access external file-sharing resources for malware staging, specifically WebDAV and Server Message Block (SMB). This is done by using the schema ‘file://’ and pointing to a remote server hosting the malicious content,” they said.
The campaign stands out due to its blend of sophisticated and basic techniques. Proofpoint was able to read the contents of the Google Sheet used in the C2 operations, identifying six victims, one of whom is believed to be either a sandbox or a known researcher. The wide net cast by the attackers suggests they may have been testing the waters before focusing on a smaller group of high-value targets.
“This Frankensteinian amalgamation of clever and sophisticated capabilities, paired with very basic techniques and functionality, makes it difficult to assess the level of the threat actor’s capability and determine with high confidence the ultimate goals of the campaign,” the researchers commented.
This discovery comes on the heels of another significant finding by Netskope Threat Labs, which recently detected an updated version of the Latrodectus malware. Version 1.4 of Latrodectus introduces a new C2 endpoint and two additional backdoor commands, allowing it to download shellcode and retrieve files from remote locations.
“Latrodectus has been evolving pretty fast, adding new features to its payload,” said security researcher Leandro Fróes. “The understanding of the updates applied to its payload allows defenders to keep automated pipelines properly set as well as use the information for further hunting for new variants. As this campaign continues to unfold, the cybersecurity community remains vigilant, emphasizing the need for organizations to stay updated on the latest threats and implement robust security measures. The use of unconventional methods like Google Sheets for C2 operations highlights the evolving tactics employed by threat actors, underscoring the importance of proactive defense strategies.
