New ‘Voldemort’ malware infects by disguising itself to go undetected

Security researchers from Proofpoint recently warned of a new malware called “Voldemort,” which is spreading via phishing emails and disguising itself with Google Sheets to bypass security systems and gain access to various kinds of data.

Companies, businesses, and organizations are the main targets of this malware, primarily in the insurance, aerospace, transport, and education sectors. The actors behind this malware attack are still unknown, but Proofpoint believes that it is a form of cyber espionage.

Voldemort phishing emails pretend to be from authorities in the USA, Europe, or Asia. According to the report, the attackers design the phishing emails to match the target organization’s location based on publicly available information, and the emails themselves contain links to supposed documents with “updated tax information.”

Related: The most common phishing scams to be aware of

What happens when you click?

The malware campaign started on August 5, 2024 and the attackers have already sent more than 20,000 emails to 70+ target companies. On peak days, the phishing emails reach up to 6,000 potential victims.

When a victim clicks on a link in the emails, they’re redirected to download a file disguised as a PDF, which may not seem suspicious. But the malware disguises itself as network traffic and uses Google Sheets as a command-and-control server (also known as a C2 attack) — and security systems don’t classify the malware traffic as suspicious due to the use of Google’s API including embedded access data.

The malware is primarily there to steal data, but it’s also capable of downloading additional malware, deleting files, temporarily disabling itself, and more. In a sense, it can serve as a backdoor and is therefore a versatile threat to infected systems.

Related: How malware can sneak past your antivirus software

How to protect yourself

To protect against the Voldemort malware campaign, Proofpoint recommends restricting access from external file sharing services to trusted servers, blocking connections to TryCloudflare when they aren’t actively needed, and watching for suspicious PowerShell executions.

The full report from Proofpoint is available here.