New Malware Uses Google Sheets to Steal Sensitive Data

A new malware campaign, featuring a previously unknown backdoor named “Voldemort,” is targeting organizations worldwide by posing as tax authorities from various countries, including the U.S., Europe, and Asia.

According to a recent report, this campaign began on August 5, 2024, and has already sent over 20,000 phishing emails to more than 70 different organizations, with a peak of 6,000 emails in a single day.

The majority of these targeted organizations are in the insurance, aerospace, transportation, and education sectors. While the identity of the cybercriminals behind this campaign remains unknown, the most likely goal appears to be cyber espionage.

This attack is similar to earlier phishing campaigns but uses different malware in its final stage. The attackers craft emails that mimic local tax authorities, informing recipients of updated tax information and providing links to access these supposed documents.

Upon clicking the link, the victim is directed to a landing page hosted on InfinityFree, which uses Google AMP Cache URLs to redirect them to a page with a button labeled “Click to view document.” When clicked, the page checks if the user’s browser is Windows-based. If so, the user is redirected to a search-ms URI (Windows Search Protocol) pointing to a TryCloudflare-tunneled URI. If not, they are sent to a blank Google Drive URL.

If the victim interacts with the malicious file, it triggers Windows Explorer to display a LNK or ZIP file masquerading as a PDF. This technique, using the search-ms: URI, is increasingly common in phishing attacks because it makes files appear to be stored locally in the victim’s Downloads folder, encouraging them to open it.

Opening the file executes a Python script from an external WebDAV server without downloading it locally. The script gathers system information while displaying a decoy PDF to mask its actions. It also downloads a legitimate Cisco WebEx executable along with a malicious DLL, enabling the Voldemort malware to be loaded through DLL side-loading.

Voldemort is a backdoor malware written in C that supports various commands, such as file management, data exfiltration, and the introduction of additional payloads. Some of the key commands include testing server connectivity, retrieving directory listings, downloading and uploading files, executing commands, copying and moving files, and terminating its operations.

A unique feature of Voldemort is its use of Google Sheets as both a command and control (C2) server and a storage solution for stolen data. The malware uses Google’s API, including an embedded client ID, secret, and refresh token, to interact with Google Sheets. This data is encrypted in its configuration to ensure secure communication.

Each infected device writes its stolen data to designated cells in the Google Sheet, allowing attackers to manage and isolate compromised systems effectively.

The use of Google Sheets provides a reliable and accessible C2 channel, reducing the chance of being detected by security tools, as blocking Google Sheets could be impractical for many organizations. This technique was previously seen in 2023 when another hacking group utilized Google Sheets for similar purposes.

To protect against such sophisticated phishing attacks, organizations should enforce strict email security policies, such as filtering suspicious emails, using advanced threat detection tools, and educating employees on recognizing phishing tactics. Regular software updates, multi-factor authentication, and endpoint protection can also help reduce the risk of malware infiltration.