More than 70 organizations around the world, operating in different sectors, have already been attacked by a new malware called “Voldemort,” according to cybersecurity researchers at Proofpoint, who observed the novel campaign and wrote a detailed analysis here.
Investigators do not know exactly who is behind this campaign, as it works through a “Frankensteinian amalgam of intelligent and sophisticated capabilities” that are also “very basic” in terms of techniques and functionality.
Whoever it is, they are using techniques that are increasingly popular in the cybercriminal world.
Single rear door
Speaking of techniques, they start with the usual: phishing. Last month, more than 20,000 emails were sent out targeting insurance companies, aerospace companies, transport sector organisations and universities. These emails talk about (un)paid taxes and come with attached files. There are a few steps to take after downloading these files, but ultimately the criminals will download CiscoSparkLauncher.dll, a vulnerable DLL that can be side-loaded and used to download Voldemort.
The backdoor can do two simple things: steal sensitive data and deploy additional payloads. What makes it stand out is that it doesn't have a command and control (C2) server, but instead uses a Google Sheets file to receive commands and extract information.
“Interestingly, the actor used multiple techniques that are becoming more popular in the cybercrime landscape, which, in addition to the volume and targeting that are also more aligned with ecrime campaigns, is unusual,” researchers said. “While the lures in the campaign are more typical of a criminal threat actor, the features included in the backdoor are more similar to features typically found in tools used for espionage.”
Because investigators were unable to attribute the campaign to any specific actor, they were also unable to determine the ultimate goal.
Through Computer Security Magazine