close
close

New Harry Potter malware attacks reveal global espionage campaign

Security researchers have discovered new malware suspected of being used for espionage. Hackers infect devices by impersonating government agencies, typically tax agencies like the Internal Revenue Service (IRS). Once the malware is on a computer, it can gather intelligence (collecting personal information, passwords, and more), download additional malware, and upload data to the hacker’s server. It does all of this using Google Sheets to avoid suspicion and store data.

GET SECURITY ALERTS, EXPERT TIPS – SIGN UP FOR THE KURTA NEWSLETTER – CYBERGUY REPORT HERE

New Harry Potter malware attacks reveal global espionage campaign

Illustration of a computer hacked by malware (Kurt “CyberGuy” Knutsson)

It all starts with a fake email

The hackers behind the malware, dubbed “Voldemort,” cleverly designed it to avoid being caught. Just as the name Voldemort spelled trouble in J.K. Rowling’s Harry Potter series, it’s also causing problems in the cybersecurity world.

The cyberattack begins when you receive an email that appears to come from a government tax agency. According to EvidenceThe hackers behind this campaign impersonated tax agencies in various countries, including the US (IRS), the UK (HM Revenue & Customs), France (Direction Générale des Finances Publiques), Germany (Bundeszentralamt für Steuern), Italy (Agenzia delle Entrate) and, as of August 19, India (Income Tax Department) and Japan (National Tax Agency). Each email was customized and written in the language of the impersonating tax authority.

Proofpoint researchers found that hackers tailored their phishing emails to the victim’s country of residence based on publicly available information, rather than the location of the organization or the language suggested by the email address. For example, some recipients at a European organization received emails posing as the IRS because they were linked to the United States in public records. In some cases, hackers confused the country of residence when the victim had the same name as a more well-known person.

The email also tries to imitate a government agency email. For example, people from the US have received fake emails using “no_reply_irs(.)gov@amecaindustrial(.)com”.

New Harry Potter malware attacks reveal global espionage campaign

Email that tries to imitate a government agency email (proof) (Kurt “CyberGuy” Knutsson)

The attack is cleverly carried out on your device

In the fake email, hackers posing as the government warn you about changes in tax rates and tax systems and ask you to click a link to read a detailed guide. Clicking the link takes you to a landing page that uses Google AMP Cache URLs to redirect you to a page with a button that says “Click to view document.”

Once you click the button, the hackers check to see if you’re using a Windows device. If so, you’ll be redirected to another page. When you interact with that page, it triggers a download that looks like a PDF file in your computer’s downloads folder, but is actually an LNK or ZIP file hosted on an external server.

When you open the file, it runs a Python script from another server without actually downloading the script to your computer. This script collects system information to profile you, while a fake PDF file opens to hide malicious activity.

New Harry Potter malware attacks reveal global espionage campaign

Download the PDF-looking file to your computer’s downloads folder (Proofpoint) (Kurt “CyberGuy” Knutsson)

Voldemort uses Google Sheets to store data

Once malware successfully infects your Windows device, it can:

  • Ping:Check if it is still connected to its control server
  • Director:Get a list of files and folders on your system
  • Charge:Send files from your system to the control server
  • Play: Place files from the control server on your system
  • Executive Director:Run specific commands or programs on your system
  • Copy: Copy files or folders on your system
  • Transfer: Moving files or folders in the system
  • To sleep: Pause its activity for a specified period of time
  • Exit: Stop the activity in your system

The malware uses Google Sheets as its command center, where it receives new instructions and stores stolen data. Each infected device sends its data to specific cells in Google Sheets, marked with unique identifiers to keep everything organized.

Voldemort communicates with Google Sheets via Google APIs, using an embedded client ID, secret, and refresh token stored in encrypted settings. This method gives the malware a reliable way to communicate without arousing suspicion, as Google Sheets is widely used in businesses, making it difficult for security tools to block it.

HOW TO RECOGNIZE AND AVOID BECOMING A VICTIM OF VACATION RENTAL SCAMS

4 Ways to Protect Yourself from Malware Attacks

As hackers release increasingly sophisticated malware, that doesn’t mean you’re defenseless. Here are some tips to help you protect yourself from these attacks.

1) Read confidential emails carefully: The best way to spot fake emails that deliver malware is to examine them thoroughly. While hackers may be tech-savvy, their language skills are often imperfect. For example, in the screenshots above, you can see typos like “Taxplayers” instead of “Taxpayers.” Government agencies typically don’t make these kinds of mistakes.

2) Check email domain: Check that the email domain matches the organization it claims to represent. For example, an email from the IRS should come from an address ending in “@irs.gov.” Be careful of minor spelling errors or domain changes.

3) Invest in data deletion services: Hackers target you based on your publicly available information. This could be anything from an information leak, to a data breach, to information you gave to an e-commerce store. Check out my top picks for data deletion services here.

4) Have strong antivirus software: If you have strong antivirus software installed on your device, it can protect you if you receive these types of scam emails or accidentally open an attachment or click a link. The best way to protect yourself from clicking on malicious links that install malware that can access your private information is to install antivirus protection on all of your devices. It can also warn you about phishing emails or ransomware scams. Check out my picks for the best antivirus protection in 2024 for Windows, Mac, Android, and iOS devices.

SUBSCRIBE TO KURT’S YOUTUBE CHANNEL FOR QUICK VIDEO TIPS ON HOW TO GET ALL YOUR TECH DEVICES UP AND GO

Kurt’s Key Takeaways

While researchers can’t say for sure, many of the techniques used by the malware are similar to those used by hackers suspected of espionage. Even if that assessment turns out to be incorrect, the scale and sophistication of the attack are concerning. Anyone without technical knowledge could easily fall victim and lose personal data and money. This attack is specifically targeting Windows users, which also raises questions about Microsoft’s security framework.

What measures do you think organizations should implement to better protect individuals from malware attacks? Let us know by writing to us at Cyberguy.com/Contact.

For more tech tips and security alerts, sign up for my free CyberGuy Report newsletter by going to Cyberguy.com/Newsletter.

Ask Kurt a question or let us know what stories you’d like us to cover.

Follow Kurt on his social channels:

Answers to CyberGuy’s most frequently asked questions:

New from Kurt:

Copyright 2024 CyberGuy.com. All rights reserved.