• 

In August 2024, Proofpoint researchers uncovered an unusual campaign that employed a new attack sequence to deliver bespoke malware. The attackers named the malware “Voldemort” based on internal filenames and strings used within the malicious software.

The actors behind this malware attack are still unknown, but Proofpoint believes that it is a form of cyber espionage.

“While the lures in the campaign are more typical of a criminal threat actor, the features included in the backdoor are more similar to the features typically found in the tools used for espionage,” says Proofpoint.

This sophisticated attack chain targeted over 70 organizations globally, including sectors like insurance, education (universities), and transportation (aerospace) with a focus on intelligence gathering rather than financial gain. 

The malware is spreading via phishing emails and disguising itself with Google Sheets to bypass security systems and gain access to various kinds of data. When a victim clicks on a link in the emails, they’re redirected to download a file disguised as a PDF, which may not seem suspicious.

The malware campaign started on August 5, 2024 and the attackers have already sent more than 20,000 emails to 70+ target companies. On peak days, the phishing emails reach up to 6,000 potential victims.

These emails claim to be from tax authorities alerting recipients about changes to their tax filings and urging them to click on Google AMP Cache URLs that redirect users to an intermediate landing page. 

The cyberattack kicks off when you receive an email that looks like it’s from a government tax agency. According to Proofpoint, the hackers behind this campaign have been impersonating tax authorities in various countries, including the U.S. (IRS), the U.K. (HM Revenue & Customs), France (Direction Générale des Finances Publiques), Germany (Bundeszentralamt für Steuern), Italy (Agenzia delle Entrate) and, as of Aug. 19, India (Income Tax Department) and Japan (National Tax Agency). Each email lure was customized and written in the language of the tax authority being impersonated.

The use of both advanced and unconventional techniques, such as Google Sheets for command and control, makes this a particularly notable case.

In light of this, Kevin Reed, the Chief Information Security Officer (CISO) at Acronis, a global leader in cyber protection, has shared insightful comments on this recent campaign: “The recent Voldemort espionage malware campaign may sound alarming, but it's important to note that the techniques used by the threat actors are not groundbreaking. What we’re seeing here is a combination of well-known tools and methods that have been observed in many previous attacks. This “Frankenstein” approach may seem clever, but in reality, it’s a logical tactic to increase the chances of compromising systems by blending common, established techniques.

For example, the use of malicious PowerShell scripts is something we encounter frequently, and it’s crucial to have robust detection mechanisms in place, such as script emulation technologies like those embedded in Acronis Cyber Protect.

One notable aspect of this campaign is the use of Google Sheets for command and control, which is somewhat unusual. However, this type of tactic isn’t entirely new. In fact, we've seen attackers leverage various online platforms that allow posting user-generated content for command and control purposes — even comments on social media, like those on Britney Spears' Instagram account, have been used in the past.

While these techniques may be resourceful, the key takeaway is the importance of being prepared with advanced cybersecurity tools that can detect and neutralize such threats.”