Security researchers from Proofpoint have recently identified a new malware threat known as “Voldemort,” which utilizes a cunning disguise to evade detection. This malware primarily spreads through phishing emails that appear to originate from legitimate sources. It leverages Google Sheets as a means of bypassing conventional security measures and gaining unauthorized access to sensitive data.
Voldemort’s main targets are organizations within the insurance, aerospace, transport, and education sectors. The attackers, whose identities remain unknown, are believed to be engaging in cyber espionage. The phishing emails are meticulously crafted to appear as if they come from trusted authorities in various regions, including the USA, Europe, and Asia. These emails often include links purportedly leading to documents with “updated tax information.”
The malware campaign, which began on August 5, 2024, has seen over 20,000 phishing emails sent to more than 70 companies. On particularly active days, up to 6,000 emails are dispatched. Clicking on the malicious link typically redirects the user to a file disguised as a PDF. However, the real danger lies in the malware’s ability to mimic network traffic and utilize Google Sheets as a command-and-control server, thus bypassing traditional security detections.
Beyond data theft, Voldemort can also perform various malicious activities, such as downloading additional malware, deleting files, and temporarily disabling itself. It functions as a versatile backdoor to infected systems, making it a significant threat.
To guard against Voldemort, Proofpoint advises organizations to restrict access from external file-sharing services, block unnecessary connections to services like TryCloudflare, and monitor for unusual PowerShell activity.