Researchers have identified an attack that impersonates tax authorities from several countries to compromise organizations and deploy a custom backdoor program dubbed Voldemort. While the campaign uses tactics seen in financially motivated cybercrime attacks, the researchers believe the true purpose is likely espionage based on the characteristics of the deployed malware.
The campaign’s targeting is unusual for an advanced persistent threat (APT) because it involved more than 20,000 phishing messages in a variety of languages impacting over 70 organizations globally. Impersonated tax agencies included the US Internal Revenue Service, the UK’s HM Revenue & Customs, France’s Direction Générale des Finances Publiques, Germany’s Bundeszentralamt für Steuern, Italy’s Agenzia delle Entrate, India’s Income Tax Department, and Japan’s National Tax Agency. The latter two were observed in a later wave of attacks, suggesting the campaign is growing and adding more languages.
Targeted organizations span 18 verticals, with insurance being the top target, accounting for nearly a quarter. Aerospace, transportation, education, and finance followed in the ranking.
“The Frankensteinian amalgamation of clever and sophisticated capabilities, paired with very basic techniques and functionality, makes it difficult to assess the level of the threat actor’s capability and determine with high confidence the ultimate goals of the campaign,” researchers from security firm Proofpoint wrote in a report, which called the attack chain “unusual.”
“It is possible that large numbers of emails could be used to obscure a smaller set of actual targets, but it’s equally possible the actors wanted to genuinely infect dozens of organizations,” the researchers wrote.
Phishing emails lead to Windows Search protocol URLs
The campaign’s phishing emails inform recipients about changes to tax reporting procedures and include links to additional resources. These links are Google AMP cached URLs that take users through a series of redirects that check their browser’s operating system before directing them to a landing page.
If the operating system is Windows, the user’s browser is redirected to a search URI that points to a file with a .search-ms extension hosted on a remote WebDAV (file sharing) server. In Windows, the protocol handler for search URIs is Windows Explorer, so users will see a pop-up window from their browser asking whether they want to open Windows Explorer. The true location of the searched server is not displayed in the pop-up window, but in this particular case it is a server hidden behind a TryCloudflare tunnel.
The Windows search protocol (search-ms) enables users to search files on remote servers and save such search queries in .search-ms files so they can be executed more easily in the future by simply opening the files. In this particular case, if the user accepts the browser prompt to open Windows Explorer, the query contained in the .search-ms file hosted on the remote WebDAV server will be executed, and a .LNK (Windows shortcut) file will be displayed as a result. This LNK file has a PDF icon and a filename related to the information shared in the phishing email.
“Notably, the file looks like it is hosted directly in the Downloads folder on the recipients’ host as opposed to the external share,” the Proofpoint researchers wrote. “It also uses a PDF icon to masquerade as a different file type. These two techniques may lead the recipient to believe it is a local PDF file, which may increase the likelihood of clicking on the content.”
The use of search-ms URIs as a payload delivery vector is not new. It has been documented by penetration testers before and has been used in real-world attacks by cybercriminal groups, although it remains rare compared to other techniques.
Cisco component abused to sideload Voldemort
Windows shortcut files are a common malware delivery technique because they can be used to execute PowerShell commands to initiate the attack chain. In this case, if users open the malicious LNK file, the PowerShell command inside will run Python.exe from a WebDAV share on the same remote server, passing a Python script to it.
The Python script collects information about the computer, sends this information to a remote URL, and downloads and opens a decoy PDF file whose contents are related to information presented in the email. The purpose of this action is to make the user think nothing unusual has happened, because they were expecting to open a PDF file.
Meanwhile, in the background, the Python script downloads a password-protected archive called test.zip or logo.zip and unpacks it. This archive contains two files called CiscoCollabHost.exe and CiscoSparkLauncher.dll.
CiscoCollabHost.exe is a legitimate file that is normally part of Cisco’s collaboration software such as Webex Teams and Spark. The CiscoSparkLauncher.dll, however, is the malicious backdoor program Proofpoint has dubbed Voldemort.
The technique of deploying a legitimate file configured to load a specifically named DLL and replace that DLL with a malicious one is known as DLL sideloading or DLL hijacking. This helps attackers to load their malicious code in memory by a legitimate, likely whitelisted process instead of an unknown executable, increasing their chances of evading detection.
The Voldemort backdoor uses Google Sheets for command-and-control, with attackers creating spreadsheets for each victim and inputting commands that will be executed by the malicious program. Commands include listing directory contents; performing file operations such as copy, move, and upload; and downloading and executing additional payloads. While the researchers didn’t observe any additional payloads delivered in real-time to a victim, they did find the Cobalt Strike implant on the attacker’s infrastructure, suggesting this could be one of the second stage payloads.
“Proofpoint assesses with moderate confidence this is likely an advanced persistent threat (APT) actor with the objective of intelligence gathering,” the researchers said in their analysis. “However, Proofpoint does not have enough data to attribute with high confidence to a specific named threat actor (TA). Despite the widespread targeting and characteristics more typically aligned with cybercriminal activity, the nature of the activity and capabilities of the malware show more interest in espionage rather than financial gain at this time,” the researchers wrote in their report.