Voldemort Malware Uses Google Sheets to Store Stolen Data

According to Proofpoint, a new malicious campaign is exploiting Google Sheets to operate the Voldemort backdoor, which is designed to collect information and deliver additional payloads. The attackers impersonate tax authorities from countries in Europe, Asia, and the United States, and have already targeted more than 70 organizations worldwide. The phishing emails are crafted to match the location of each targeted organization, using information from open sources. These messages claim to contain updated tax information and links to relevant documents.

Details of the Campaign

Researchers report that the campaign began on August 5, 2024, and hackers have already sent over 20,000 emails (up to 6,000 per day). The attackers are targeting sectors such as insurance, aerospace, transportation, academia, finance, technology, industry, healthcare, automotive, hospitality, energy, government, media, telecommunications, and more.

The identity of the group behind this campaign remains unknown, but Proofpoint experts believe the most likely goal is cyber espionage.

Attack Methodology

When recipients click the link in the phishing email, they are taken to a landing page hosted on InfinityFree, which uses Google AMP Cache URLs to redirect victims to a page with a “Click to view document” button.

When the button is clicked, the page checks the browser’s User Agent. If it detects Windows, it redirects the victim to a search-ms URI (Windows Search Protocol) that points to a tunneled TryCloudflare URI. Non-Windows users are redirected to an empty Google Drive URL with no malicious content.

If the victim interacts with the search-ms file, Windows Explorer displays an LNK or ZIP file disguised as a PDF. The use of search-ms URIs has recently become popular in phishing campaigns, as such files hosted on external WebDAV/SMB resources appear to be in the local Downloads folder, encouraging victims to open them.

Execution and Payload Delivery

As a result, a Python script is executed on the victim’s machine from another WebDAV resource (without downloading it to the host), which collects system information to profile the system. At the same time, a PDF file is displayed to mask the malicious activity.

The script also downloads a Cisco WebEx executable (CiscoCollabHost.exe) and a malicious DLL (CiscoSparkLauncher.dll) to load Voldemort using DLL side-loading.

Voldemort Backdoor Features

Voldemort itself is a C-based backdoor that supports a wide range of commands and file operations, including data theft, deploying new payloads, and deleting files.

A distinctive feature of Voldemort is its use of Google Sheets as a command-and-control server, receiving new commands via Sheets for execution on infected devices and using them as storage for stolen data.

Each infected machine writes its data to specific Google Sheet cells, which can be marked with unique identifiers like UUIDs, ensuring isolation and transparent management of compromised systems.

To interact with Google Sheets, Voldemort uses the Google API with a built-in client ID, secret, and refresh token stored in its encrypted settings.

Stealth and Persistence

Experts note that this approach provides the malware with a reliable and highly available management channel, while also reducing the likelihood that this network activity will be detected by security solutions. Since Google Sheets is widely used in enterprises, blocking the service is generally not a viable option.