Security researchers have detected a new malware that is suspected of spying. Hackers infect the device by impersonating government agencies, usually tax agencies such as the Internal Revenue Service (IRS). Once the malicious software is on the PC, it can collect intelligence (collecting personal data, passwords and more), download additional malicious software, and upload data to the hacker’s server. It does all this while using Google Sheets to avoid suspicion and store data.
Illustration of a computer being hacked by malware (Kurt “CyberGuy” Knutson)
It all starts with a fake email
The hackers behind the malware named “Voldemort” have designed it very cleverly to avoid getting caught. Just like the name Voldemort created trouble in JK Rowling’s Harry Potter series, it is also creating problems in the world of cyber security.
The cyber attack begins when you receive an email that looks like it came from a government tax agency. proofpointThe hackers behind the campaign are impersonating tax agencies in various countries, including the US (IRS), the UK (HM Revenue & Customs), France (Direction Général des Finances Publiques), Germany (Bundeszentralamt für Sturen), Italy (Agenzia delle Entrate) and, as of August 19, India (Income Tax Department) and Japan (National Tax Agency). Each email lure was customized and written in the language of the tax official being impersonated.
Proofpoint analysts found that hackers crafted their phishing emails to match the target’s country of residence, based on publicly available information rather than the organization’s location or language suggested by the email address. For example, some targets in a European organization received emails impersonating the IRS because they were linked to the US in public records. In some cases, hackers confused the country of residence when the target shared a name with a more prominent individual.
The emails also attempted to mimic government agency emails. For example, fake emails were sent to US people using “no_reply_irs(.)gov@amecaindustrial(.)com.”
Email that tries to mimic an email from a government agency (Proofpoint) (Kurt “CyberGuy” Knutson)
This attack is cleverly carried out on your device
In the fake email, hackers impersonating the government warn you about changes in tax rates and tax systems and ask you to click on a link to read a detailed guide. Clicking on the link takes you to a landing page that uses a Google AMP cache URL to redirect you to a page with a “Click to view document” button.
After clicking the button, hackers check if you are using a Windows device. If you are, you will be redirected to another page. When you interact with that page, it triggers a download that looks like a PDF file in your PC’s Downloads folder, but it is actually a LNK or ZIP file hosted on an external server.
When you open the file, it runs a Python script from another server without actually downloading the script to your computer. This script collects system information to profile you, while opening a fake PDF to hide malicious activity.
Download what looks like a PDF file to your PC’s Downloads folder (Proofpoint) (Kurt “CyberGuy” Knutson)
Voldemort uses Google Sheets to store data
Once the malware successfully infects your Windows device, it:
- hum: Check if it is still connected to its control server
- Dir: Get a list of files and folders on your system
- download: Send files from your system to the control server
- Upload it: Put files from the control server onto your system
- Executive: Run specific commands or programs on your system
- Copy: Copy files or folders on your system
- step: Move files or folders around on your system
- Sleep: Pause its activity for a specified time
- exit: Stop running on your system
The malware uses Google Sheets as its command center, from where it gets new instructions and stores stolen data. Each infected device sends its data to specific cells in a Google Sheet, which are marked by unique IDs to keep everything organized.
Voldemort interacts with Google Sheets through Google’s API, using an embedded client ID, secret, and refresh token stored in its encrypted settings. This method gives the malware a reliable way to communicate without arousing suspicion because Google Sheets is widely used in businesses, making it hard for security tools to block it.
How to recognize vacation rental scams and avoid falling victim to them
4 ways to protect yourself from malware attacks
Hackers are constantly releasing complex malware, but that doesn’t mean you are vulnerable. Below are some tips that will help you protect yourself from such attacks.
1) Read sensitive emails carefully: The best way to identify fake emails that deliver malware is to check them carefully. While hackers may be tech-savvy, their language skills are often not perfect. For example, in the screenshot above, you can see typos like “taxpayer” instead of “taxpayers”. Government agencies usually don’t make mistakes like this.
2) Check the email domain: Verify that the email domain matches the organization it claims to represent. For example, an email from the IRS should come from an address ending in “@irs.gov.” Be wary of even slight spelling mistakes or variations in the domain.
3) Invest in data removal services: Hackers target you based on your publicly available information. This can be anything from information leaked through a data breach to the information you provide to an e-commerce shop. See my top picks for data removal services here,
4) Have strong antivirus software: If you have strong antivirus software installed on your device, it can protect you if you receive such scam emails or accidentally open an attachment or click on a link. The best way to protect yourself from clicking on malicious links that install malware is to install antivirus protection on all your devices. It can also alert you to any phishing emails or ransomware scams. Get my picks for the best antivirus protection winners of 2024 for your Windows, Mac, Android, and iOS devices,
Subscribe to Kurt’s YouTube channel for quick video tips on how to work all your tech devices
Kurt’s main points
Although the researchers cannot say for sure, many of the techniques used by the malware are similar to those used by hackers suspected of espionage. Even if this assessment proves to be wrong, the scale and sophistication of the attack is worrying. Anyone without technical knowledge can easily fall prey to it and lose personal data and money. This attack specifically targets Windows users, which also raises questions about Microsoft’s security framework.
What measures do you think organizations should implement to better protect individuals from malware attacks? Let us know by writing to us at cyberguy.com/contact,
For more of my tech tips and security warnings, subscribe to my free CyberGuy Report newsletter Cyberguy.com/Newsletter,
Ask Kurt a question or let us know what stories you’d like us to cover,
Follow Kurt on his social channels:
Most frequently asked questions answered by CyberGuy:
New from Kurt:
Copyright 2024 CyberGuy.com. All rights reserved.
