Key Takeaways
What is Voldemort?
Voldemort is a custom backdoor written in C. It is capable of collecting system information, uploading files, and executing commands received from the C2. Voldemort’s attack chain leverages Google Sheets for C2, a method not commonly used.
A Voldemort infection begins with phishing emails using a tax-themed lure. The emails contain malicious links that send the victim to an actor-controlled landing page or directly to a malicious file. When the victim chooses “View Document,” a check is performed on the browser’s User Agent to determine if it is a Windows system. If a Windows system is detected, the victim is redirected to a URI that prompts Windows Explorer to display either an LNK file or ZIP file masquerading as a PDF. Executing the LNK file triggers the rest of the attack chain, resulting in deployment of Voldemort on the victim’s machine.
The Voldemort campaign has spread worldwide, with over 20,000 phishing emails sent. At the campaign’s peak, 6000 emails were sent in one day. Targeted entities include those in the insurance, aerospace, transportation, education, finance, technology, healthcare, automotive, hospitality, energy, government, media, manufacturing, and telecommunications verticals. Most of the targets were located in the US, Europe, and Asia. At this time, the threat actor behind the campaign remains a mystery.
IOCs
PolySwarm has multiple samples associated with this activity.
0b3235db7e8154dd1b23c3bed96b6126d73d24769af634825d400d3d4fe8ddb9
fa383eac2bf9ad3ef889e6118a28aa57a8a8e6b5224ecdf78dcffc5225ee4e1f
You can use the following CLI command to search for all Voldemort samples in our portal:
$ polyswarm link list -f Voldemort
Don’t have a PolySwarm account? Go here to sign up for a free Community plan or subscribe.
Contact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports.