Security researchers have discovered a major international cyber-espionage campaign that has already impacted over 70 organizations in 18 verticals.
Proofpoint said that a quarter of victims are insurance companies, with aerospace, transportation and universities comprising around the same share again.
Beginning on August 5 2024, the campaign has seen at least 20,000 phishing emails spammed out to victims, purporting to come from local tax authorities. Customized local language lures were apparently written in English (US/UK), French, German, Italian, Indian and Japanese.
Victims are encouraged to click on malicious links in the email and then to open a search-ms file. If they do so, and after several more steps in the attack chain, a script will load a legitimate Cisco WebEx executable and a malicious DLL (CiscoSparkLauncher.dll) that uses DLL side-loading to install the “Voldemort” backdoor .
“Voldemort is a custom backdoor written in C,” wrote Proofpoint.
“It has capabilities for information gathering and to drop additional payloads. Proofpoint observed Cobalt Strike hosted on the actor’s infrastructure, and it is likely that is one of the payloads that would be delivered.”
Read more on novel malware: New JSOutProx Malware Targets Financial Firms in APAC, MENA
The malware unusually has no dedicated command-and-control (C2) server associated with it, but instead utilizes Google Sheets infrastructure for C2, data exfiltration and executing commands from the operators.
Proofpoint claimed it has not been able to attribute the campaign to any specific group, noting that its “Frankensteinian amalgamation of clever and sophisticated capabilities, paired with very basic techniques and functionality” makes it hard to assess the capabilities of the actor and ultimate goals of its campaign.
“Interestingly, the actor used multiple techniques that are becoming more popular in the cybercrime landscape, which – in addition to the volume and targeting that is also more aligned with ecrime campaigns – is unusual,” it added.
“While the lures in the campaign are more typical of a criminal threat actor, the features included in the backdoor are more similar to the features typically found in the tools used for espionage.”