Cybersecurity researchers have discovered an innovative malware campaign that uses Google Sheets as a command-and-control (C2) mechanism.
The malicious activity was detected by Proofpoint starting from August 5, 2024, and involves impersonating tax authorities from various governments to target over 70 organizations globally with a tool named Voldemort, designed for information gathering and payload delivery.
The targeted sectors include insurance, aerospace, transportation, academia, finance, and more. The campaign, suspected to be cyber espionage, has sent around 20,000 malicious email messages.
The emails claim to be from tax authorities in several countries, directing recipients to Google AMP Cache URLs that lead to a fake landing page. The page then uses tactics to trick Windows users into opening a malicious file, ultimately executing PowerShell scripts to run malware.
The malware gathers system information, sends it to a controlled domain, and downloads additional files for malicious activities. It includes a custom backdoor named Voldemort, capable of executing commands through Google Sheets.
Proofpoint notes that while this campaign showcases advanced capabilities, it also uses techniques common in cybercrime activities, such as abusing file sharing resources to stage malware.
The researchers speculate that the threat actors targeted a broad range of organizations before focusing on specific victims and suggest that this espionage activity aims to support unknown objectives.
As the campaign unfolds, security experts have identified new features in the evolving Latrodectus malware, highlighting the importance of understanding these updates for defense and detection purposes.
The cybersecurity landscape continues to evolve with threats like Latrodectus adapting quickly to enhance their capabilities, underscoring the need for vigilant monitoring and defense measures.
