Alert issued for ‘Voldemort’ malware as dozens of organizations hit

Security experts have issued an alert over the ‘Voldemort’ malware campaign that’s hit more than 70 organizations globally. 

Uncovered by researchers at Proofpoint, the malware has mainly been used to attack insurance companies, which account for a quarter of victims, with other heavily-targeted sectors including aerospace, transport, and universities. In all, 18 different verticals were targeted.

The malicious activity was first spotted at the beginning of August, and included over 20,000 messages impacting over 70 organizations globally. The attackers used a mixture of popular and rarer methods for command and control (C2), such as the use of Google Sheets for C2 and using a saved search file on an external share.

The combination of the tactics, techniques, and procedures (TTPs), the way government agencies of various countries are impersonated, and some odd file names and passwords like 'test' are notable, said the team.  

The campaign impersonated tax authorities from governments in Europe, Asia, and the US, including the UK's HMRC and the US’ Internal Revenue Service (IRS), with messages purporting to alert the recipients to changes to their tax filings. 

Each message was customized and written in the language of the authority being impersonated. 

Researchers believe - at least for now - that it's been being used for espionage.

"Interestingly, the actor used multiple techniques that are becoming more popular in the cybercrime landscape, which—in addition to the volume and targeting that is also more aligned with eCrime campaigns—is unusual," they said. 

"While the lures in the campaign are more typical of a criminal threat actor, the features included in the backdoor are more similar to the features typically found in the tools used for espionage."

“While the activity appears to align with espionage activity, it is possible that future activities associated with this threat cluster may change this assessment,” researchers added.

Under the hood of the Voldemort malware campaign

When victims click on malicious links in the email and then open a search-ms file, they'll eventually come to a legitimate Cisco WebEx executable and a malicious dynamic link library (DLL), CiscoSparkLauncher.dll, that uses DLL side-loading to install the Voldemort backdoor.

The best defense, researchers advised, is to restrict access to external file sharing services to only known, safelisted servers; block network connections to TryCloudflare if it isn't required for business purposes; and to monitor and alert on the use of search-ms in scripts and suspicious follow-on activity such as LNK and PowerShell execution. 

Proofpoint said it hasn't been able to identify the group behind the campaign.

"The Frankensteinian amalgamation of clever and sophisticated capabilities, paired with very basic techniques and functionality, makes it difficult to assess the level of the threat actor’s capability and determine with high confidence the ultimate goals of the campaign," the team said.

"It is possible that large numbers of emails could be used to obscure a smaller set of actual targets, but it’s equally possible the actors wanted to genuinely infect dozens of organizations. It is also possible that multiple threat actors with varying levels of experience in developing tooling and initial access worked on this activity. Overall, it stands out as an unusual campaign."