More than 70 organizations worldwide, over half of which are in the education, transportation, insurance, and aerospace industries, have been targeted with the novel Voldermort backdoor as part of a suspected cyberespionage campaign since early last month, BleepingComputer reports.
Attackers who spoofed U.S., European, and Asian tax agencies distributed more than 20,000 phishing emails purporting to have updated tax information and links, which when clicked redirect to a search-ms URI file triggering a Python script that displays a decoy PDF while DLL side-loading Voldemort, according to an analysis from Proofpoint. Further examination of the C-based Voldemort backdoor revealed its exploitation of Google Sheets as a command-and-control server to facilitate the retrieval and execution of several commands, as well as storage of exfiltrated data, while evading security systems. Such findings, which follow Chinese hacking group APT41's prior exploitation of Google Sheets as a C2 server, have prompted researchers to urge external file-sharing service access and TryCloudflare connection restrictions, as well as PowerShell execution tracking.