Possible cyber espionage campaign called “Voldemort” introduces new malware

According to research from Proofpoint, a new malware campaign called “Voldemort” has been growing. The campaign reportedly started on August 5, 2024, and has affected over 70 organizations globally with more than 20,000 emails sent.

The majority of the targets are from the insurance, transportation, aerospace, and education sectors. While the identity of the threat actor behind Voldemort remains unknown, the research suggests that cyber espionage is the main objective of this campaign.

Security leaders provide insights

Jason Soroko, Senior Fellow at Sectigo:

“The unique threat posed by Voldemort includes its use of uncommon command and control (C2) methods like Google Sheets and a combination of various tactics, techniques, and procedures (TTPs). The use of Google Sheets for C2 presents challenges in detection due to blending malicious activities with legitimate services. To protect against this, organizations should monitor outbound traffic for unusual patterns, enforce strict application access controls, and utilize threat intelligence to identify abnormal use of legitimate platforms for C2 objectives.

“To prevent personalized phishing attacks, companies can enhance email filtering systems, train employees to identify and report suspicious emails, implement strong multi-factor authentication (MFA), and regularly update and audit publicly available information visibility to minimize exposure.

“Organizations can validate the authenticity of communications from government agencies by using official government websites or contacts for verification. Email authentication protocols like DMARC, SPF, and DKIM can also help prevent impersonation-based attacks, along with S/MIME certificates to verify email sender identities within an organization.”

Mr. Mayuresh Dani, Manager, Security Research, at Qualys Threat Research Unit:

“The attack utilizes Google Sheets for command and control (C2) communications, along with files containing malicious Windows search protocol to entice victims to download malware. The malware then leverages a legitimate version of WebEx software to load a DLL that communicates with the C2 server.

“Organizations should proactively and reactively protect employee data by using spam filters with strict settings, employing AI and LLMs’ spam and language filters for first-time email senders from unknown/untrusted domains, and educating users to identify and report suspicious emails. Monitoring leaks sources for key resources and promptly addressing them is also crucial as a reactive measure.”

Omri Weinberg, Co-founder and CRO at DoControl:

“The uniqueness of the Voldemort campaign lies in its sophisticated and unconventional techniques. Utilizing Google Sheets for command and control is innovative, while abusing the Windows saved search file format in a new way is a novel approach. The high message volume and tax authority lures are more typical of cybercrime campaigns, creating a blend of APT and cybercrime characteristics that make it a complex threat.

“Using Google Sheets for C2 presents detection challenges due to its legitimate usage by many organizations, making outright blocking difficult. Robust network monitoring for identifying suspicious access patterns to Google services is essential to detect such threats.

“Defending against APTs like Voldemort requires a multi-layered approach with Exposed Data Intelligence as a foundational element. Comprehensive visibility across the environment, monitoring of SaaS applications, and understanding exposed data are crucial. Endpoint detection and response tools, network segmentation, and data loss prevention solutions, along with regular threat hunting exercises, are key components of a proactive defense strategy.”