The Malware That Must Not Be Named: Suspected Espionage Campaign Delivers 'Voldemort'

Sept. 2, 2024, 8:50 p.m.

Description

Proofpoint researchers uncovered an unusual campaign delivering custom malware named "Voldemort". The activity impersonated tax authorities from various countries and targeted dozens of organizations worldwide. The attack chain combines popular and uncommon techniques, including using Google Sheets for command and control. The malware has capabilities for information gathering and delivering additional payloads. While the campaign exhibits some characteristics of cybercriminal activity, the nature and capabilities of the malware suggest an espionage objective. The threat actor utilized multiple techniques becoming more popular in the cybercrime landscape, making attribution challenging. The campaign's unusual combination of sophisticated and basic elements makes it difficult to assess the threat actor's capabilities and ultimate goals.

External References

https://www.proofpoint.com/us/blog/threat-insight/malware-must-not-be-named-suspected-espionage-campaign-delivers-voldemort
https://otx.alienvault.com/pulse/66d6210d8809bca69d931131
Tags
apt
espionage
cobalt strike
2024-09-02
tax authorities
voldemort

Date

  • Created: Sept. 2, 2024, 8:33 p.m.
  • Published: Sept. 2, 2024, 8:33 p.m.
  • Modified: Sept. 2, 2024, 8:50 p.m.

Indicators

  • 6bdd51dfa47d1a960459019a960950d3415f0f276a740017301735b858019728
  • fa383eac2bf9ad3ef889e6118a28aa57a8a8e6b5224ecdf78dcffc5225ee4e1f
  • 561e15a46f474255fda693afd644c8674912df495bada726dbe7565eae2284fb
  • 3fce52d29d40daf60e582b8054e5a6227a55370bed83c662a8ff2857b55f4cea
  • 0b3235db7e8154dd1b23c3bed96b6126d73d24769af634825d400d3d4fe8ddb9
  • 83.147.243.18
  • https://resource.infinityfreeapp.com/0023012-317.html
  • https://resource.infinityfreeapp.com/ABC_of_Tax.html
  • https://pubs.infinityfreeapp.com/Steuerratgeber.html
  • https://pubs.infinityfreeapp.com/SA150_Notes_2024.html
  • https://pubs.infinityfreeapp.com/Notice_pour_remplir_la_N%C2%B0_2044.html
  • https://pubs.infinityfreeapp.com/La_dichiarazione_precompilata_2024.html
  • https://pubs.infinityfreeapp.com/IRS_P966.html
  • https://od.lk/s/OTRfODQ5MzQ5Mzlf/ABC_of_Tax.pdf
  • https://od.lk/s/OTRfODQ4ODE4OThf/logo.png
  • https://od.lk/s/OTRfODQ1NzA0Mjlf/einzelfragen_steuerbescheinigungen_de.pdf
  • https://od.lk/s/OTRfODQ1Njk2ODVf/2044_4765.pdf
  • https://od.lk/s/OTRfODM5Mzc3NjFf/irs-p966.pdf
  • https://od.lk/s/OTRfODQ1NDc2MjZf/SA150_Notes_2024.pdf
  • https://od.lk/s/OTRfODM3MjM2NzVf/La_dichiarazione_precompilata_2024.pdf
  • https://od.lk/s/OTRfNzQ5NjQwOTJf/test.png
  • no_reply_irs.gov@amecaindustrial.com
  • ways-sms-pmc-shareholders.trycloudflare.com
  • resource.infinityfreeapp.com
  • pants-graphs-optics-worse.trycloudflare.com
  • recall-addressed-who-collector.trycloudflare.com
  • invasion-prisoners-inns-aging.trycloudflare.com
Download all indicators here!

Attack Patterns

  • Voldemort
  • Cobalt Strike - S0154

Additional Informations

  • Aerospace
  • Insurance
  • Transportation
  • Education
  • Virgin Islands, U.S.
  • British Indian Ocean Territory
  • India
  • Italy
  • Japan
  • France
  • Germany