A sophisticated global espionage operation has been identified utilizing legitimate cloud productivity tools to disguise malicious command and control traffic. The campaign has successfully targeted over 70 high-value organizations across multiple industrial sectors including aerospace and transport.
The malware, identified as Voldemort, initiates its infection via a malicious document that fetches a secondary payload. Once active on a system, it utilizes the @[Google](urn:li:organization:1441) Sheets API to communicate with its controllers. By writing commands to and reading instructions from specific cells in a private spreadsheet, the malware avoids detection by traditional network monitoring tools that treat traffic to Google domains as trusted.
The use of legitimate cloud APIs for C2 is a strategic evolution in stealth. Because many organizations allow unfettered access to productivity suites, the malware can exfiltrate data and receive updates while blending seamlessly into the encrypted traffic of daily business operations.
– Monitor for anomalous API calls to @[Google](urn:li:organization:1441) Sheets originating from unauthorized non-browser processes.
– Implement strict application whitelisting to prevent the execution of unauthorized binaries in the %TEMP% and %APPDATA% directories.
– Utilize behavioral analysis to detect the atypical use of cloud APIs for non-business-related data transfers.
– Update security awareness training to highlight the risks of interacting with unsolicited documents that request the execution of macros or external scripts.
When the attacker lives in the cloud, the network perimeter is no longer a viable detection boundary; defense must move to the endpoint and identity layer. #CodeDefence #Voldemort #GoogleSheets #C2 #Espionage
/
