Voldemort: new wave of Google Sheets exploits

Read Time:2 Minute, 45 Second

In a concerning development within the cybersecurity landscape, researchers from Proofpoint have identified a sophisticated campaign leveraging Google Sheets as a covert platform for data exfiltration and malware deployment. This unusual tactic, discovered in August 2024, takes advantage of Google Sheets’ trusted status and collaborative features, making it an attractive target for malicious actors.

The campaign centers around a new custom malware strain dubbed “Voldemort,” which functions as a backdoor to gather intelligence and deploy additional harmful payloads. What sets this attack apart is its intricate attack chain, which combines several commonly used techniques in a manner rarely seen with command and control (C2) activities involving platforms like Google Sheets.

The Attack Sequence

Beginning on August 5, 2024, cyber attacks escalated rapidly, with over 20,000 messages exchanged across more than 70 organizations. The attackers adeptly redirected users through a series of seemingly benign URLs, utilizing the Google AMP Cache to mask their malicious intent. Victims were led to landing pages hosted on InfinityFree and Cloudflare tunnels, ultimately invoking a Windows Search that opened either a Windows DEX file (LNK) or a ZIP file containing an LNK file.

This LNK file employed PowerShell to access a Python script uploaded on a WebDAV share. The script meticulously gathered information about the system and downloaded what appeared to be a fake PDF alongside a password-protected ZIP file. This ZIP file contained several executable files, including ciscocollabhost.exe, cimcagent.exe, and ciscosparklauncher.dll, with the latter initiating the notorious Voldemort malware.

The Role of Google Sheets

The threat actor’s exploitation of Google Sheets serves multiple purposes: command and control, data exfiltration, and executing commands remotely. A significant discovery during the investigation was the use of a standard Google API, which inadvertently exposed a client ID and client secret. This oversight granted the malicious actor access to read data from Google Sheets, allowing them to implement their nefarious strategies effectively.

As researchers dug deeper into the activities within Google Sheets, they noted that the attacker created new pages named after the victim’s hostname and username for each compromised machine. This simplistic yet effective approach helped establish communication with various registered bots while minimizing the actor’s direct involvement in the system.

Additional Findings

Further investigation into Google Drive using the same client secrets revealed additional artifacts. Among these was a password-protected 7zip archive containing a DLL and an executable. Notably, one of the files named “Shuaruta.exe” was susceptible to DLL sideloading attacks. This vulnerability could enable the introduction of a cobalt strike beacon into affected systems, escalating the threat level significantly.

The findings highlight a shift in tactics among threat actors, showcasing their ability to adapt and utilize trusted platforms for malicious purposes. Although researchers initially speculated that these activities might originate from a red team conducting controlled exercises, they ultimately attributed it to an advanced persistent threat (APT) group focused on intelligence gathering.

Conclusion

The use of Google Sheets as a conduit for malware and data theft underscores the increasingly creative methods employed by cybercriminals. As organizations continue to rely on collaborative tools for day-to-day operations, it is essential to remain vigilant against such emerging threats. Continuous monitoring and robust security practices must be prioritized to safeguard sensitive information from exploitation in this evolving landscape of cyber threats.

Leave a Reply

Your email address will not be published. Required fields are marked *