More than 70 organizations across the globe, operating in a variety of industries, have already been hit by a brand new piece of malware dubbed ‘Voldemort’, according to cybersecurity researchers Proofpoint, who observed the new campaign and wrote an in-depth analysis here.
The researchers are not sure who is behind this campaign, as its operation is a “Frankensteinian fusion of smart and advanced capabilities,” while also being “very basic” in terms of technology and functionality.
Whoever it is, it is certainly using techniques that are becoming increasingly popular in the world of cybercrime.
Simple back door
Speaking of techniques, they start with the usual – phishing. Last month, over 20,000 emails were sent, targeting insurance companies, airlines, transportation organizations, and universities. These emails are about (un)paid taxes and contain attachments. There are a few steps you need to go through after downloading these files, but eventually the crooks will drop CiscoSparkLauncher.dll, a vulnerable DLL that can be sideloaded and used to drop Voldemort.
The backdoor can do two simple things: steal sensitive data and deploy additional payloads. What makes it different is that it doesn’t have a command-and-control (C2) server, but instead uses a Google Sheets file to receive orders and exfiltrate information.
“Interestingly, the actor used multiple techniques that are becoming increasingly popular in the cybercrime landscape, which is unusual, in addition to the volume and targeting that are also more in line with ecrime campaigns,” the researchers said. “While the lures used in the campaign are more typical of a criminal threat actor, the functionality within the backdoor appears to be more similar to that typically found in tools used for espionage.”
Because the researchers could not attribute the campaign to a specific actor, they could not determine what its end goal was.