The Malware That Must Not Be Named: Suspected Espionage Campaign Delivers “Voldemort”

    Monday, September 2, 2024 In: Threat Research Print

    Date: 09/02/2024

    Severity: Medium

    Summary

    "The Malware That Must Not Be Named: Suspected Espionage Campaign Delivers 'Voldemort'" explores a sophisticated espionage operation utilizing a malware strain codenamed "Voldemort." This malware is designed to covertly infiltrate and extract sensitive information from targeted organizations. The campaign, suspected to be state-sponsored or highly organized, leverages the malware to bypass security measures, conduct surveillance, and potentially disrupt operations. The report emphasizes the need for enhanced security practices to detect and mitigate such advanced threats.

    Indicators of Compromise (IOC) List

    URL/Domains

    pants-graphs-optics-worse.trycloudflare.com

    https://resource.infinityfreeapp.com/ABC_of_Tax.html

    https://sheets.googleapis.com:443/v4/spreadsheets/16JvcER-0TVQDimWV56syk91IMCYXOvZbW4GTnb947eE/

    https://od.lk/s/OTRfODM3MjM2NzVf/La_dichiarazione_precompilata_2024.pdf

    http://83.147.243.18/p/

    https://pubs.infinityfreeapp.com/IRS_P966.html

    https://od.lk/s/OTRfODM5Mzc3NjFf/irs-p966.pdf

    https://od.lk/s/OTRfODQ1NDc2MjZf/SA150_Notes_2024.pdf

    https://resource.infinityfreeapp.com/0023012-317.html

    https://pubs.infinityfreeapp.com/Notice_pour_remplir_la_N%C2%B0_2044.html

    https://pubs.infinityfreeapp.com/La_dichiarazione_precompilata_2024.html

    https://od.lk/s/OTRfODQ1Njk2ODVf/2044_4765.pdf

    https://pubs.infinityfreeapp.com/SA150_Notes_2024.html

    https://pubs.infinityfreeapp.com/Steuerratgeber.html

    https://od.lk/s/OTRfNzQ5NjQwOTJf/test.png

    https://od.lk/s/OTRfODQ1NzA0Mjlf/einzelfragen_steuerbescheinigungen_de.pdf

    https://od.lk/s/OTRfODQ4ODE4OThf/logo.png

    https://od.lk/s/OTRfODQ5MzQ5Mzlf/ABC_of_Tax.pdf

    Hash

    0b3235db7e8154dd1b23c3bed96b6126d73d24769af634825d400d3d4fe8ddb9

fa383eac2bf9ad3ef889e6118a28aa57a8a8e6b5224ecdf78dcffc5225ee4e1f

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    URL/Domain

    userdomainname like "pants-graphs-optics-worse.trycloudflare.com" or url like "pants-graphs-optics-worse.trycloudflare.com" or userdomainname like "https://resource.infinityfreeapp.com/ABC_of_Tax.html" or url like "https://resource.infinityfreeapp.com/ABC_of_Tax.html" or userdomainname like "https://sheets.googleapis.com:443/v4/spreadsheets/16JvcER-0TVQDimWV56syk91IMCYXOvZbW4GTnb947eE/" or url like "https://sheets.googleapis.com:443/v4/spreadsheets/16JvcER-0TVQDimWV56syk91IMCYXOvZbW4GTnb947eE/" or userdomainname like "https://od.lk/s/OTRfODM3MjM2NzVf/La_dichiarazione_precompilata_2024.pdf" or url like "https://od.lk/s/OTRfODM3MjM2NzVf/La_dichiarazione_precompilata_2024.pdf" or userdomainname like "http://83.147.243.18/p/" or url like "http://83.147.243.18/p/" or userdomainname like "https://pubs.infinityfreeapp.com/IRS_P966.html" or url like "https://pubs.infinityfreeapp.com/IRS_P966.html" or userdomainname like "https://od.lk/s/OTRfODM5Mzc3NjFf/irs-p966.pdf" or url like "https://od.lk/s/OTRfODM5Mzc3NjFf/irs-p966.pdf" or userdomainname like "https://od.lk/s/OTRfODQ1NDc2MjZf/SA150_Notes_2024.pdf" or url like "https://od.lk/s/OTRfODQ1NDc2MjZf/SA150_Notes_2024.pdf" or userdomainname like "https://resource.infinityfreeapp.com/0023012-317.html" or url like "https://resource.infinityfreeapp.com/0023012-317.html" or userdomainname like "https://pubs.infinityfreeapp.com/Notice_pour_remplir_la_N%C2%B0_2044.html" or url like "https://pubs.infinityfreeapp.com/Notice_pour_remplir_la_N%C2%B0_2044.html" or userdomainname like "https://pubs.infinityfreeapp.com/La_dichiarazione_precompilata_2024.html" or url like "https://pubs.infinityfreeapp.com/La_dichiarazione_precompilata_2024.html" or userdomainname like "https://od.lk/s/OTRfODQ1Njk2ODVf/2044_4765.pdf" or url like "https://od.lk/s/OTRfODQ1Njk2ODVf/2044_4765.pdf" or userdomainname like "https://pubs.infinityfreeapp.com/SA150_Notes_2024.html" or url like "https://pubs.infinityfreeapp.com/SA150_Notes_2024.html" or userdomainname like "https://pubs.infinityfreeapp.com/Steuerratgeber.html" or url like "https://pubs.infinityfreeapp.com/Steuerratgeber.html" or userdomainname like "https://od.lk/s/OTRfNzQ5NjQwOTJf/test.png" or url like "https://od.lk/s/OTRfNzQ5NjQwOTJf/test.png" or userdomainname like "https://od.lk/s/OTRfODQ1NzA0Mjlf/einzelfragen_steuerbescheinigungen_de.pdf" or url like "https://od.lk/s/OTRfODQ1NzA0Mjlf/einzelfragen_steuerbescheinigungen_de.pdf" or userdomainname like "https://od.lk/s/OTRfODQ4ODE4OThf/logo.png" or url like "https://od.lk/s/OTRfODQ4ODE4OThf/logo.png" or userdomainname like "https://od.lk/s/OTRfODQ5MzQ5Mzlf/ABC_of_Tax.pdf" or url like "https://od.lk/s/OTRfODQ5MzQ5Mzlf/ABC_of_Tax.pdf"

    Hash

    sha256hash IN ("0b3235db7e8154dd1b23c3bed96b6126d73d24769af634825d400d3d4fe8ddb9","fa383eac2bf9ad3ef889e6118a28aa57a8a8e6b5224ecdf78dcffc5225ee4e1f")

    Reference:

    https://www.proofpoint.com/us/blog/threat-insight/malware-must-not-be-named-suspected-espionage-campaign-delivers-voldemort


    Tags

    MalwareExploit

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2024 by Gurucul - All rights reserved.