A global espionage campaign is exposed through a new malware named after Harry Potter.

Security researchers have discovered a new malware that is believed to be used for espionage. The malware is designed to mimic government agencies, such as the IRS, to trick users into installing it on their devices. Once installed, the malware can collect personal data, passwords, and other sensitive information. It can also download additional malicious software and upload data to the hacker's server. To avoid detection, the malware uses Google Sheets to store data.

It all starts with a fake email

The malware known as "Voldemort" is causing problems in the cybersecurity world, just as the name Voldemort brought trouble in J.K. Rowling's Harry Potter series.

The cyberattack begins when you receive an email that appears to be from a government tax agency. According to Proofpoint, the hackers behind this campaign have been posing as tax agencies in various countries, including the U.S. (IRS), the U.K. (HM Revenue & Customs), France (Direction Générale des Finances Publiques), Germany (Bundeszentralamt für Steuern), Italy (Agenzia delle Entrate) and, as of Aug. 19, India (Income Tax Department) and Japan (National Tax Agency). Each email was tailored and written in the language of the tax authority being imitated.

Analysts at Proofpoint discovered that hackers crafted their phishing emails to correspond with the target's country of residence, using publicly available information instead of the organization's location or language suggested by the email address. For instance, some European organization targets received emails posing as the IRS because they were linked to the U.S. in public records. In certain instances, the hackers confused the country of residence when the target shared a name with a more prominent individual.

The government agency's email was imitated in a fake email sent to U.S. citizens, using the email address "no_reply_irs[.]gov@amecaindustrial[.]com."

The attack cleverly unfolds on your device

In the fraudulent email, fraudsters posing as government officials notify you of modifications in tax rates and systems and request you to click on a link to access a comprehensive guide. Upon clicking on the link, you are directed to a webpage that utilizes Google AMP Cache URLs to take you to a page featuring a "View Document" button.

When you click the button, the hackers check if you're using a Windows device. If you are, you'll be redirected to another page. Upon interacting with that page, it triggers a download that appears to be a PDF file in your PC's download folder, but it's actually an LNK or ZIP file hosted on an external server.

The script on the other server is executed when the file is opened, but it does not download the script to your computer. The script gathers system information to create a profile of you, while a fake PDF is opened to conceal the malicious activity.

Voldemort uses Google Sheets to store data

Once the malware has successfully infected your Windows device, it can:

• Ping: Check if it’s still connected to its control server
• Dir: Get a list of files and folders on your system
• Download: Send files from your system to the control server
• Upload: Put files from the control server onto your system
• Exec: Run specific commands or programs on your system
• Copy: Copy files or folders on your system
• Move: Move files or folders around on your system
• Sleep: Pause its activity for a set time
• Exit: Stop running on your system

The malware utilizes Google Sheets as its control center, receiving fresh directives and storing pilfered information. Each contaminated device transmits its data to designated cells in the Google Sheet, identified by distinctive IDs for efficient management.

Google Sheets is used by Voldemort to interact with Google's API, which is accomplished through an embedded client ID, secret, and refresh token stored in encrypted settings. This approach allows the malware to communicate reliably without raising suspicion, as Google Sheets is widely used in businesses and can be difficult for security tools to block.

4 ways to protect yourself from malware attacks

Malware is becoming more complex, but you don't have to be vulnerable. Here are some tips to safeguard yourself from such attacks.

To detect fraudulent emails that contain malware, carefully examine them. Although hackers are skilled in technology, their language proficiency is often lacking. For instance, in the images provided, you can observe errors such as "Taxplayers" instead of "Taxpayers." Government agencies rarely make these types of mistakes.

Verify that the email domain corresponds with the organization it claims to represent. For instance, an email from the IRS should have an address ending in "@irs.gov." Be wary of slight misspellings or variations in the domain.

Consider investing in data removal services to protect yourself from hackers who target you based on your publicly available information, such as leaked data from a data breach or information provided to an e-commerce shop. Check out my top picks for data removal services here.

Installing strong antivirus software on your device can safeguard you from receiving scam emails, opening malicious attachments, or clicking on harmful links. The best way to protect yourself from malicious links that can infect your devices with malware and steal your private information is to have antivirus software installed on all your devices. I can provide you with my top picks for the best 2024 antivirus protection for your Windows, Mac, Android, and iOS devices.

Kurt’s key takeaway

Malware techniques used in the attack are similar to those used by hackers suspected of espionage, although researchers are uncertain about this. The scale and sophistication of the attack are cause for concern, as anyone without technical knowledge could easily fall victim and lose personal data and money. The attack specifically targets Windows users, raising questions about Microsoft's security framework.

What are some steps organizations can take to safeguard individuals from malware attacks? Please share your thoughts by emailing us at Cyberguy.com/Contact.

To receive my tech tips and security alerts, sign up for my free CyberGuy Report Newsletter at Cyberguy.com/Newsletter.

Let us know what stories you'd like us to cover.

Follow Kurt on his social channels:

Answers to the most asked CyberGuy questions:

New from Kurt:

Copyright 2024 CyberGuy.com. All rights reserved.