A new malware has been detected by security researchers that is suspected of conducting espionage. Hackers infect devices by impersonating government agencies, usually tax agencies such as the Internal Revenue Service (IRS). Once the malicious software is on a PC, it can gather intelligence (collecting personal data, passwords and more), download additional malicious software and upload data to the hacker’s server. It does all this while using Google Sheets to avoid suspicion and store data.

GET SECURITY ALERTS, EXPERT TIPS – SIGN UP FOR KURT’S NEWSLETTER – THE CYBERGUY REPORT HERE

New Harry Potter-named malware strikes, revealing global espionage campaign

Illustration of computer being hacked by malware (Kurt "CyberGuy" Knutsson)

It all starts with a fake email

The hackers behind the malware, called "Voldemort," have cleverly designed it to avoid getting caught. Just like the name Voldemort spelled trouble in J.K. Rowling’s Harry Potter series, it’s causing issues in the cybersecurity world, too.

The cyberattack kicks off when you receive an email that looks like it’s from a government tax agency. According to Proofpoint, the hackers behind this campaign have been impersonating tax agencies in various countries, including the U.S. (IRS), the U.K. (HM Revenue & Customs), France (Direction Générale des Finances Publiques), Germany (Bundeszentralamt für Steuern), Italy (Agenzia delle Entrate) and, as of Aug. 19, India (Income Tax Department) and Japan (National Tax Agency). Each email lure was customized and written in the language of the tax authority being impersonated.

Proofpoint analysts found that the hackers tailored their phishing emails to match the target’s country of residence based on publicly available information rather than the organization’s location or the language suggested by the email address. For example, some targets in a European organization received emails impersonating the IRS because they were linked to the U.S. in public records. In some cases, the hackers mixed up the country of residence when the target shared a name with a more prominent individual.

The email also tries to mimic the email of the government agency. For example, the U.S. folks were sent fake emails using "no_reply_irs[.]gov@amecaindustrial[.]com."

New Harry Potter-named malware strikes, revealing global espionage campaign

Email that tries to mimic the email of a government agency (Proofpoint) (Kurt "CyberGuy" Knutsson)

The attack cleverly unfolds on your device

In the fake email, hackers impersonating the government warn you about changes in the tax rates and tax systems and ask you to click a link to read a detailed guide. Clicking on the link brings you to a landing page, which uses Google AMP Cache URLs to redirect you to a page with a "Click to view document" button.

After you click the button, the hackers check if you’re using a Windows device. If you are, you’ll be redirected to another page. When you interact with that page, it triggers a download that looks like a PDF file in your PC’s download folder, but it’s actually an LNK or ZIP file hosted on an external server.

When you open the file, it runs a Python script from another server without actually downloading the script to your computer. This script collects system information to profile you, while a fake PDF opens to hide the malicious activity.

New Harry Potter-named malware strikes, revealing global espionage campaign

Download that looks like PDF file in your PC’s download folder (Proofpoint) (Kurt "CyberGuy" Knutsson)

Voldemort uses Google Sheets to store data

Once the malware has successfully infected your Windows device, it can:

  • Ping: Check if it’s still connected to its control server
  • Dir: Get a list of files and folders on your system
  • Download: Send files from your system to the control server
  • Upload: Put files from the control server onto your system
  • Exec: Run specific commands or programs on your system
  • Copy: Copy files or folders on your system
  • Move: Move files or folders around on your system
  • Sleep: Pause its activity for a set time
  • Exit: Stop running on your system

The malware uses Google Sheets as its command center, where it gets new instructions and stores stolen data. Each infected device sends its data to specific cells in the Google Sheet, marked by unique IDs to keep everything organized.

Voldemort interacts with Google Sheets through Google’s API, using an embedded client ID, secret and refresh token stored in its encrypted settings. This method gives the malware a reliable way to communicate without raising suspicion since Google Sheets is widely used in businesses, making it hard for security tools to block it.

HOW TO RECOGNIZE AND AVOID BEING A VICTIM OF VACATION RENTAL SCAMS

4 ways to protect yourself from malware attacks

Hackers are releasing increasingly sophisticated malware, but that doesn’t mean you’re defenseless. Below are some tips to help protect yourself from such attacks.

1) Read sensitive emails carefully: The best way to spot fake emails that deliver malware is to check them carefully. While hackers may be tech-savvy, their language skills often aren’t perfect. For example, in the screenshots above, you can see typos like "Taxplayers" instead of "Taxpayers." Government agencies don’t usually make these kinds of mistakes.

2) Check email domain: Verify that the email domain matches the organization it claims to represent. For example, an email from the IRS should come from an address ending in "@irs.gov." Be cautious of slight misspellings or variations in the domain.

3) Invest in data removal services: Hackers target you based on your publicly available information. That could be anything from your leaked info through a data breach to the information you provided to an e-commerce shop. Check out my top picks for data removal services here.

4) Have strong antivirus software: If you have strong antivirus software installed on your device, it can protect you when you receive these types of scam emails or accidentally open the attachment or click a link. The best way to protect yourself from clicking malicious links that install malware that may get access to your private information is to have antivirus protection installed on all your devices. This can also alert you of any phishing emails or ransomware scams. Get my picks for the best 2024 antivirus protection winners for your Windows, Mac, Android and iOS devices.

SUBSCRIBE TO KURT’S YOUTUBE CHANNEL FOR QUICK VIDEO TIPS ON HOW TO WORK ALL OF YOUR TECH DEVICES

Kurt’s key takeaway

While researchers can’t say for sure, many of the techniques used by the malware are similar to those employed by hackers suspected of espionage. Even if this assessment turns out to be incorrect, the scale and sophistication of the attack are concerning. Anyone without technical knowledge could easily fall victim and lose personal data and money. This attack specifically targets Windows users, which also raises questions about Microsoft’s security framework.

What measures do you think organizations should implement to better protect individuals from malware attacks? Let us know by writing us at Cyberguy.com/Contact.

For more of my tech tips and security alerts, subscribe to my free CyberGuy Report Newsletter by heading to Cyberguy.com/Newsletter.

Ask Kurt a question or let us know what stories you'd like us to cover.

Follow Kurt on his social channels:

Answers to the most asked CyberGuy questions:

New from Kurt:

Copyright 2024 CyberGuy.com. All rights reserved.