Voldemort

APT41 has also been observed using URL shorteners in their phishing messages. The shortened URL redirects to their malware hosted on free hosting app subdomains.

Chinese state-aligned hackers have ramped up espionage efforts against Taiwan's semiconductor ecosystem through spear-phishing campaigns... UNK_FistBump used job-themed lures, posing as graduate students applying for positions. The attackers sent phishing emails from compromised Taiwanese university email accounts to HR and recruiting teams at semiconductor companies. Attached documents led to malware-laced ZIP or PDF files hosted on file-sharing platforms such as Zendesk and Filemail.

The messages contain Google AMP Cache URLs that redirect to a landing page hosted on InfinityFree, or later in the campaign, linking directly to the landing page.

The commands the malware supports are as follows: Ping Dir Download Upload Exec Copy Move Sleep Exit

If the LNK is executed, it will invoke PowerShell to run Python.exe from a third WebDAV share on the same tunnel (\library\), passing a Python script on a fourth share (\resource\) on the same host as an argument.

“...runs a VBS script Store.vbs…” / “Execution… runs another VBS file also called Store.vbs…”

This causes Python to run the script without downloading any files to the computer, with dependencies being loaded directly from the WebDAV share.

“Execution of the… LNK file… runs a VBS script… [and] opens a decoy document…” / “Upon execution… scheduled task… created…”

This will result in displaying a Windows shortcut file... If the LNK is executed, it will invoke PowerShell to run Python.exe from a third WebDAV share on the same tunnel.

To decrypt strings, the malware relies on an algorithm that looks very similar to XTEA... With API calls resolved, the malware continues by decrypting its own configuration... decrypted via an XOR cipher using the executable name “CiscoCollabHost.exe”.

The malware then has a routine to dynamically invoke APIs that is relatively unique. To resolve functions and call them, the malware passes a DLL handle, a callback to a function, and the arguments to the function it’s trying to call.

It also uses a PDF icon to masquerade as a different file type. These two techniques may lead the recipient to believe it is a local PDF file, which may increase the likelihood of clicking on the content.

“...decrypts the RC4-encrypted Cobalt Strike Beacon payload from the rc4.log file using the key qwxsfvdtv…” / “...Base64-encoded and RC4-encrypted… using… CiscoCollabHost.exe as the RC4 key…” / “...payload which is XOR encoded with the key mysecretkey.”

If the User Agent contains "windows", the browser is redirected to a search-ms URI... prompting the victim to open Windows Explorer... The .search-ms file is never downloaded or displayed to the user but instead abuses the file format.

This SparkEntryPoint starts with a sleep mechanism of roughly 5 –10 minutes with a jitter amount to try and evade sandboxes that run for short periods of time.

These actions on Windows include: Collecting information about the computer using the Python function platform.uname(), including the computer name, Windows version information, and CPU information.

This SparkEntryPoint starts with a sleep mechanism of roughly 5 –10 minutes with a jitter amount to try and evade sandboxes that run for short periods of time.

It downloads a password-protected ZIP file called test.png or logo.png from OpenDrive saves it as %localappdata%\Microsoft\Windows\test.zip or logo.zip, and extracts the contents... using the password “test@123.”

The malware used DLL sideloading techniques and, in some cases, Google Sheets as a command-and-control channel... The malware communicated with C2 servers over TCP port 465 using FakeTLS and XOR encryption.

Rather than using dedicated infrastructure or even compromised infrastructure, the malware utilizes Google Sheets infrastructure for C2, data exfiltration and executing commands from the operators.

The malware used DLL sideloading techniques and, in some cases, Google Sheets as a command-and-control channel.

The exploited site delivered a malware payload, which we have dubbed “TOUGHPROGRESS”, that took advantage of Google Calendar for command and control (C2). Misuse of cloud services for C2 is a technique that many threat actors leverage in order to blend in with legitimate activity.

This will result in displaying a Windows shortcut file... hosted on the same TryCloudflare host, but in another WebDAV share, \pub\. ... If the LNK is executed, it will invoke PowerShell to run Python.exe from a third WebDAV share on the same tunnel (\library\), passing a Python script on a fourth share (\resource\). | Voldemort is a backdoor with capabilities for information gathering and can load additional payloads. Proofpoint observed Cobalt Strike hosted on the actor's infrastructure, and it is likely that is one of the payloads that would be delivered.

Sending data as base64 in a URL via a GET request to the same pingb.in IP... The malware utilizes Google Sheets infrastructure for C2, data exfiltration and executing commands from the operators.