Proofpoint uncovers 'Voldemort' malware linked to TA415

Proofpoint researchers have identified a sophisticated malware campaign known as "Voldemort", linked to the China-aligned threat group TA415 (BrassTyphoon), targeting various sectors globally.

The campaign, first observed in early August 2024, has affected more than 70 organisations worldwide. The attackers use a mix of typical and unconventional command and control (C2) methods, including the use of Google Sheets, to deliver the malware, which is purportedly designed for espionage rather than financial gain.

Proofpoint reported that the activities involved impersonating tax authorities from several countries, including the Internal Revenue Service (IRS) in the United States, India's Income Tax Department, and Japan's National Tax Agency. These impersonations were used as a lure to distribute the malware.

The malware in question, dubbed Voldemort, features unusual, customised functionalities and leverages Google Sheets for C2 communications. It also uses a saved search file on an external share. It is used to target various sectors, with nearly 25% of affected organisations being insurance companies. This activity highlights the overlap between espionage actors and financially motivated cybercriminals.

Despite the uncommon volume of targeting from an advanced persistent threat (APT) actor, Proofpoint noted that this was not unprecedented, citing similar activity by the Russia-aligned threat actor TA422 in 2023.

The campaign began on 5 August 2024 and involved over 20,000 messages directed at more than 70 organisations globally. Initially, a few hundred messages were sent daily, but this increased significantly on 17 August to almost 6,000 messages in a day.

The emails impersonated tax authorities, notifying recipients about changes to their tax filings. Authorities from countries including the United States, United Kingdom, France, Germany, and Italy were mimicked. From 19 August onwards, Indian and Japanese tax agencies were also impersonated. Each email was customised in the language of the impersonated authority.

Proofpoint research showed that the threat actor correlated the language of the emails with publicly available information about specific targets, aiming at individuals based on their country of residence. Some mix-ups occurred when victims shared uncommon names with more publicly known individuals.

In using methods typical of cybercrime, this campaign is unusual for an APT. It involved methods such as abusing file schema URIs for malware staging via WebDAV and SMB and leveraging Cloudflare Tunnels without an account. These techniques resemble those used for cybercriminal activities rather than purely espionage.

While Proofpoint has not attributed this activity to a specific known threat actor, the malware's functionality and data suggest information gathering was a principal aim. The campaign's characteristics indicate espionage more than financial motivation, although the actual objectives remain unclear.

The combined use of sophisticated and basic techniques in this campaign poses challenges in assessing the threat actor's capabilities and intentions. The extensive distribution of malicious emails may obscure the true targets, with the possibility of multiple actors of varying skill levels being involved.

This campaign's techniques mirror those adopted by multiple cybercriminal actors, suggesting that suspected espionage operators use tactics common in financially motivated attacks. Future activities may alter this assessment, underlining the evolving nature of cyber threats.

Defending against these tactics involves restricting access to external file sharing services, blocking unnecessary network connections to services like TryCloudflare, and monitoring suspicious activities. Proofpoint has communicated with industry colleagues regarding these abuses to improve collaborative defence efforts.