'Voldemort' Malware Curses Orgs Using Global Tax Authorities

A sophisticated malware campaign dubbed "Voldemort," is targeting organizations worldwide by impersonating tax authorities in Europe, Asia, and the US.

This malicious activity has affected dozens of organizations worldwide, with more than 20,000 phishing messages reported since its inception on Aug. 5, according to a report from Proofpoint.

The malware is a custom backdoor written in C, designed for data exfiltration and deploying additional malicious payloads.

The attack utilizes Google Sheets for command and control (C2) communications and files laced with malicious Windows search protocol. Once the victim downloads the malware, it uses a legitimate version of WebEx software to load a DLL that communicates with the C2 server.

Voldemort Transforms Into Tax Authorities

The researchers said the campaign escalated significantly on Aug. 17, when nearly 6,000 phishing emails were sent in a single day, primarily impersonating tax agencies.

These included the US Internal Revenue Service (IRS), the UK’s HM Revenue & Customs, and France's Direction Générale des Finances Publiques, among others. Each phishing email was crafted in the native language of the respective tax authority, adding a layer of credibility to the lures.

The emails, sent from what appear to be compromised domains, included the legitimate domain names of the tax agencies to further enhance their authenticity.

The report noted that the campaign's ultimate objective remains unclear, but Proofpoint researchers said they believe it's likely aimed at espionage, given Voldemort’s intelligence-gathering capabilities and potential for deploying additional payloads.

Google Users Highly Susceptible to Malicious Spells

Mayuresh Dani, manager, security research, at Qualys Threat Research Unit, says organizations that use Google in their ecosystem are more likely to face risk to Voldemort, since the company's platforms would be in the allowed list.

"Unless organizations are monitoring for traffic to specified [indicators of compromise], these attacks would largely fly under the radar," he notes.

Dani explains this is a known technique identified as T1567.002 in the MITRE ATT&CK framework, and recommends that organizations monitor for network connections to cloud services associated with non-browser processes, as well as large amounts of network connections to cloud services.

Meanwhile, Omri Weinberg, co-founder and CRO at DoControl, says that verifying the authenticity of government communications is challenging, especially given how convincing these impersonations can be.

"Organizations should establish clear protocols for handling sensitive requests or notifications, particularly those related to financial matters," he explains. "This might include always verifying through a separate, known-good channel before taking action."

He added that it is crucial to educate employees about these types of impersonation attacks.

"They should know to be suspicious of unsolicited communications, especially those creating a sense of urgency," he said.

While implementing DMARC and other email authentication protocols can help filter out some spoofed emails, Weinberg stressed that user awareness remains key.

Security Best Practices Are a Good Defense Charm

Jason Soroko, senior fellow at Sectigo, says companies can protect against personalized phishing attacks by enhancing email filtering systems, and training employees to recognize and report suspicious emails.

He also recommends employing strong multi-factor authentication (MFA), and regularly updating and auditing the visibility of publicly available information to reduce exposure.

"Organizations should also employ advanced endpoint detection and response tools, enforce strict network segmentation, apply regular security patches, monitor for abnormal behavior, and implement robust data encryption practices to safeguard sensitive information," he adds.

And finally, implementing email authentication protocols including DMARC, SPF, and DKIM can also help prevent impersonation-based attacks, as well as S/MIME certificates for ensuring the legitimacy of email sender identities within an organization, he stresses.