Hey there, folks in SF! Let’s talk about a spicy new trend that’s been making waves in cyberspace. It seems our not-so-friendly neighborhood hackers, always on the prowl for a new backdoor, have found a way to exploit something as innocent as Google Sheets. You heard that right, the platform that we all trust and use for everyday work and collaboration has become a covert data storage powerhouse for our sneaky online adversaries!
Remember last August when cybersecurity pioneers caught wind of a rather suspicious situation? They stumbled upon a strange campaign that was using some new maneuvers to deploy their custom malware. These cheeky fellows had named it something straight out of a fantasy novel – ‘Voldemort’!
The hackers had mixed common techniques into a batch of potent cyber poison, which was a pretty unusual move for command-and-control activities involving Google Sheets. So basically, this ‘Voldemort’ acted like a double agent, snooping around for intel and dropping other malware aimed at targets written in C.
Would you believe that for a moment, those watchful eyes at the cybersecurity firm mistook the hackers’ activities for a red team exercise? But as they dug deeper, sifting through tons of malware data and correspondences, they attributed the spying attempts to our online nemeses, the Advanced Persistent Threat (APT) crew.
This gang went on a cyber rampage starting August 5, 2024. They proliferated their harmful messages across more than 70 organizations, totaling over 20,000 instances. How they went about it? They guided their targets, unsuspecting users, through a labyrinth of URLs, landing pages and tunnels, ultimately exposing them to a harmful file, perfectly disguised as an innocent shortcut or PDF. This file would unleash the ‘Voldemort’ malware in their systems.
So, what wizardry happened behind the scene? The hackers got crafty with Google Sheets, turning it into a triple threat. They used it for command-and-control purposes, for stealthily exfiltrating data and for executing malicious commands. To top it all, they cleverly leveraged a standard Google API to facilitate this misuse.
The good news? The cybersecurity team’s investigation revealed that the bulk of the active infections belonged to sandboxes or known researchers. But as they delved into the Google Sheets, they found that our cyber villains were directing the commands to several registered bots. Each time they engaged with a victim’s machine, they sneaked in and created a new page, leaving a trail of the machine’s hostname and username.
These bad guys went on to explore Google Drive for their nefarious aims, stealing more artifacts. They concealed a malicious DLL and an executable in a 7zip archive with password protection. They even left the file “Shuaruta.exe” susceptible to a DLL sideloading attack, creating a potential for a cobalt strike beacon to enter the system.
So, fellow Bay Area dwellers, this just goes to show how our trusted platforms can be turned against us, and why cybersecurity vigilance is more critical now than ever. But, as long as we have our sharp-eyed guardians at the cybersecurity firm, we have nothing to worry about, or at least, we can sleep a wee bit easier!
by Morgan Phisher | HEAL Security
