{"id":133,"date":"2024-09-04T18:28:19","date_gmt":"2024-09-04T18:28:19","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=133"},"modified":"2024-09-04T18:28:19","modified_gmt":"2024-09-04T18:28:19","slug":"unusual-voldemort-cyberespionage-attack-impersonates-tax-authorities","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=133","title":{"rendered":"\u2018Unusual\u2019 Voldemort cyberespionage attack impersonates tax authorities"},"content":{"rendered":"
\n
\n
\n
\n
<\/div>\n

Researchers have identified an attack that impersonates tax authorities from several countries to compromise organizations and deploy a custom backdoor program dubbed Voldemort. While the campaign uses tactics seen in financially motivated cybercrime attacks, the researchers believe the true purpose is likely espionage based on the characteristics of the deployed malware.<\/p>\n

The campaign\u2019s targeting is unusual for an advanced persistent threat (APT) because it involved more than 20,000 phishing messages in a variety of languages impacting over 70 organizations globally. Impersonated tax agencies included the US Internal Revenue Service, the UK\u2019s HM Revenue & Customs, France\u2019s Direction G\u00e9n\u00e9rale des Finances Publiques, Germany\u2019s Bundeszentralamt f\u00fcr Steuern, Italy\u2019s Agenzia delle Entrate, India\u2019s Income Tax Department, and Japan\u2019s National Tax Agency. The latter two were observed in a later wave of attacks, suggesting the campaign is growing and adding more languages.<\/p>\n

Targeted organizations span 18 verticals, with insurance being the top target, accounting for nearly a quarter. Aerospace, transportation, education, and finance followed in the ranking.<\/p>\n

\u201cThe Frankensteinian amalgamation of clever and sophisticated capabilities, paired with very basic techniques and functionality,\u202fmakes it difficult to assess the level of the threat actor\u2019s capability and determine with high confidence the ultimate goals of the campaign,\u201d researchers from security firm Proofpoint wrote in a report<\/a>, which called the attack chain \u201cunusual.\u201d<\/p>\n

\u201cIt is possible that large numbers of emails could be used to obscure a smaller set of actual targets, but it\u2019s equally possible the actors wanted to genuinely infect dozens of organizations,\u201d the researchers wrote.<\/p>\n

Phishing emails lead to Windows Search protocol URLs<\/h2>\n

The campaign\u2019s phishing emails inform recipients about changes to tax reporting procedures and include links to additional resources. These links are Google AMP cached URLs that take users through a series of redirects that check their browser\u2019s operating system before directing them to a landing page.<\/p>\n

If the operating system is Windows, the user\u2019s browser is redirected to a search URI that points to a file with a .search-ms extension hosted on a remote WebDAV (file sharing) server. In Windows, the protocol handler for search URIs is Windows Explorer, so users will see a pop-up window from their browser asking whether they want to open Windows Explorer. The true location of the searched server is not displayed in the pop-up window, but in this particular case it is a server hidden behind a TryCloudflare tunnel<\/a>.<\/p>\n

The Windows search protocol (search-ms) enables users to search files on remote servers and save such search queries in .search-ms files so they can be executed more easily in the future by simply opening the files. In this particular case, if the user accepts the browser prompt to open Windows Explorer, the query contained in the .search-ms file hosted on the remote WebDAV server will be executed, and a .LNK (Windows shortcut) file will be displayed as a result. This LNK file has a PDF icon and a filename related to the information shared in the phishing email.<\/p>\n

\u201cNotably, the file looks like it is hosted directly in the Downloads folder on the recipients\u2019 host as opposed to the external share,\u201d the Proofpoint researchers wrote. \u201cIt also uses a PDF icon to masquerade as a different file type. These two techniques may lead the recipient to believe it is a local PDF file, which may increase the likelihood of clicking on the content.\u201d<\/p>\n

The use of search-ms URIs as a payload delivery vector is not new. It has been documented by penetration testers before<\/a> and has been used in real-world attacks<\/a> by cybercriminal groups, although it remains rare compared to other techniques.<\/p>\n

Cisco component abused to sideload Voldemort<\/h2>\n

Windows shortcut files are a common malware delivery technique<\/a> because they can be used to execute PowerShell commands to initiate the attack chain. In this case, if users open the malicious LNK file, the PowerShell command inside will run Python.exe from a WebDAV share on the same remote server, passing a Python script to it.<\/p>\n

The Python script collects information about the computer, sends this information to a remote URL, and downloads and opens a decoy PDF file whose contents are related to information presented in the email. The purpose of this action is to make the user think nothing unusual has happened, because they were expecting to open a PDF file.<\/p>\n

Meanwhile, in the background, the Python script downloads a password-protected archive called test.zip or logo.zip and unpacks it. This archive contains two files called CiscoCollabHost.exe and CiscoSparkLauncher.dll.<\/p>\n

CiscoCollabHost.exe is a legitimate file that is normally part of Cisco\u2019s collaboration software such as Webex Teams and Spark. The CiscoSparkLauncher.dll, however, is the malicious backdoor program Proofpoint has dubbed Voldemort.<\/p>\n

The technique of deploying a legitimate file configured to load a specifically named DLL and replace that DLL with a malicious one is known as DLL sideloading or DLL hijacking. This helps attackers to load their malicious code in memory by a legitimate, likely whitelisted process instead of an unknown executable, increasing their chances of evading detection.<\/p>\n

The Voldemort backdoor uses Google Sheets for command-and-control, with attackers creating spreadsheets for each victim and inputting commands that will be executed by the malicious program. Commands include listing directory contents; performing file operations such as copy, move, and upload; and downloading and executing additional payloads. While the researchers didn\u2019t observe any additional payloads delivered in real-time to a victim, they did find the Cobalt Strike implant on the attacker\u2019s infrastructure, suggesting this could be one of the second stage payloads.<\/p>\n

\u201cProofpoint assesses with moderate confidence this is likely an advanced persistent threat (APT) actor with the objective of intelligence gathering,\u201d the researchers said in their analysis. \u201cHowever, Proofpoint does not have enough data to attribute with high confidence to a specific named threat actor (TA). Despite the widespread targeting and characteristics more typically aligned with cybercriminal activity, the nature of the activity and capabilities of the malware show more interest in espionage rather than financial gain at this time,\u201d the researchers wrote in their report.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"

Researchers have identified an attack that impersonates tax authorities from several countries to compromise organizations and deploy a custom backdoor program dubbed Voldemort. While the campaign uses tactics seen in financially motivated cybercrime attacks, the researchers believe the true purpose is likely espionage based on the characteristics of the deployed malware. The campaign\u2019s targeting is […]<\/p>\n","protected":false},"author":0,"featured_media":134,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-133","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/133"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=133"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/133\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/134"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=133"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=133"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=133"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}