A newly discovered malware is targeting organizations by impersonating global tax authorities. This malicious software employs sophisticated techniques to infiltrate systems and compromise sensitive information, causing significant disruptions for affected entities. The malware’s method of attack has drawn comparisons to the dark wizard from a popular fantasy series, known for his ability to spread fear and destruction.
This malware has affected many organizations using phishing messages that are reported to be over 20,000 since Aug 5th according to Proofpoint’s report.
What Voldemort Does
The malware is written in C and is used to backdoor into it’s target with the intent of data exfiltration while simultaneously deploying other malicious payloads. Once the payloads have been deployed, the malware uses Google Sheets to establish Command and Control. The target will then use a legitimate version of WebEx which loads a DLL to communicate with the C2 server.
How The Attack Begins
Many as 6,000 phishing emails were sent in a single day impersonating tax agencies from the US, China, and Europe. These emails were designed specifically well to appear as legitimate. To also add to the legitimacy, the emails were sent from a compromised domain of the tax agency. The ultimate goal of the attacks remains unclear at this time but it is likely believed to be espionage according to Proofpoint.
Who Is Susceptible
Organizations that utilize Google in their network are at the most risk as the company’s platforms would be in the allowed list. These organizations should monitor for network connections that are associated with non browser processes.
Security Best Practices Remain A Good Defense
Ensuring strong MFA is turned on, reducing the attack surface, and training employees to be a spot phishing attempts or always verify legitimacy with emails that seem out of the ordinary. Regularly patching security updates and monitoring for any abnormal behavior is also good to keep up with known vulnerabilities.
References:
DarkReading: “‘Voldemort’ Malware Curses Orgs Using Global Tax Authorities” (Link)
Proofpoint: The Malware That Must Not Be Named: Suspected Espionage Campaign Delivers “Voldemort” (Link)