The PolySwarm Blog

Analyze suspicious files and URLs, at scale, millions of times per day. Get real-time threat intel from a crowdsourced network of security experts and antivirus companies competing to protect you.

Voldemort

Sep 9, 2024 12:52:20 PM / by The Hivemind

VOLDEMORTVerticals Targeted: Insurance, Aerospace, Transportation, Education, Finance, Technology, Healthcare, Automotive, Hospitality, Energy, Government, Media, Manufacturing, Telecommunications 

Executive Summary

An espionage campaign delivering the Voldemort backdoor was recently observed targeting over 70 organizations. The campaign uses a novel attack chain to deliver the malware, leveraging Google Sheets for command and control (C2).

Key Takeaways

  • An espionage campaign delivering the Voldemort backdoor was recently observed targeting over 70 organizations. 
  • The campaign uses a novel attack chain to deliver the malware, leveraging Google Sheets for command and control (C2).
  • Voldemort is a custom backdoor written in C.

What is Voldemort?

An espionage campaign delivering the Voldemort backdoor was recently observed targeting over 70 organizations. The campaign uses a novel attack chain to deliver the malware, leveraging Google Sheets for command and control (C2). Proofpoint discovered the campaign last month and recently reported on this activity.

Voldemort is a custom backdoor written in C. It is capable of collecting system information, uploading files, and executing commands received from the C2. Voldemort’s attack chain leverages Google Sheets for C2, a method not commonly used. 

A Voldemort infection begins with phishing emails using a tax-themed lure. The emails contain malicious links that send the victim to an actor-controlled landing page or directly to a malicious file. When the victim chooses “View Document,” a check is performed on the browser’s User Agent to determine if it is a Windows system. If a Windows system is detected, the victim is redirected to a URI that prompts Windows Explorer to display either an LNK file or ZIP file masquerading as a PDF. Executing the LNK file triggers the rest of the attack chain, resulting in deployment of Voldemort on the victim’s machine. 

The Voldemort campaign has spread worldwide, with over 20,000 phishing emails sent. At the campaign’s peak, 6000 emails were sent in one day. Targeted entities include those in the insurance, aerospace, transportation, education, finance, technology, healthcare, automotive, hospitality, energy, government, media, manufacturing, and telecommunications verticals. Most of the targets were located in the US, Europe, and Asia. At this time, the threat actor behind the campaign remains a mystery. 

IOCs

PolySwarm has multiple samples associated with this activity.

 

0b3235db7e8154dd1b23c3bed96b6126d73d24769af634825d400d3d4fe8ddb9

fa383eac2bf9ad3ef889e6118a28aa57a8a8e6b5224ecdf78dcffc5225ee4e1f

 

You can use the following CLI command to search for all Voldemort samples in our portal:

$ polyswarm link list -f Voldemort

 

Don’t have a PolySwarm account? Go here to sign up for a free Community plan or subscribe.

Contact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports.

 

Topics: Threat Bulletin, Espionage, Backdoor, Voldemort

The Hivemind

Written by The Hivemind

Subscribe to Email Updates

Lists by Topic

see all

Posts by Topic

See all

Recent Posts