{"id":17480,"date":"2024-09-10T04:24:25","date_gmt":"2024-09-10T04:24:25","guid":{"rendered":"https:\/\/cissar.com\/?p=17480"},"modified":"2024-09-10T04:24:25","modified_gmt":"2024-09-10T04:24:25","slug":"new-harry-potter-named-malware-strikes-revealing-global-espionage-campaign","status":"publish","type":"post","link":"https:\/\/cissar.com\/index.php\/2024\/09\/10\/new-harry-potter-named-malware-strikes-revealing-global-espionage-campaign\/","title":{"rendered":"New Harry Potter-named malware strikes, revealing global espionage campaign"},"content":{"rendered":"
\n
\n
\n
<\/a> close<\/a><\/div>\n
\n
\"'CyberGuy':<\/source><\/source><\/source><\/source><\/picture> Video<\/span><\/a><\/div>\n<\/div>\n
\n
\n

‘CyberGuy’: How to avoid becoming a moving scam victim<\/a><\/h4>\n

For a safe move, pick a reliable mover and guard against scams with these steps from tech expert Kurt Knutsson.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n

A new malware has been detected by security researchers that is suspected of conducting espionage. Hackers infect devices by impersonating government agencies, usually tax agencies such as the Internal Revenue Service (IRS). Once the malicious software is on a PC, it can gather intelligence (collecting personal data, passwords and more), download additional malicious software and upload data to the hacker\u2019s server. It does all this while using Google Sheets to avoid suspicion and store data.<\/p>\n

\n
<\/div>\n<\/p><\/div>\n
\n
<\/div>\n<\/p><\/div>\n

GET SECURITY ALERTS, EXPERT TIPS \u2013 SIGN UP FOR KURT\u2019S NEWSLETTER \u2013 THE CYBERGUY REPORT HERE<\/u><\/strong><\/a><\/p>\n

\n
\"New<\/source><\/source><\/source><\/source><\/picture><\/div>\n
\n
\n

Illustration of computer being hacked by malware<\/span> (Kurt “CyberGuy” Knutsson)<\/span><\/p>\n<\/div>\n<\/div>\n<\/div>\n

It all starts with a fake email<\/strong><\/h2>\n

The hackers behind the malware, called “Voldemort,” have cleverly designed it to avoid getting caught. Just like the name Voldemort spelled trouble in J.K. Rowling\u2019s Harry Potter series, it\u2019s causing issues in the cybersecurity world, too.<\/p>\n

\n
<\/div>\n<\/p><\/div>\n

The cyberattack kicks off when you receive an email that looks like it\u2019s from a government tax agency. According to Proofpoint<\/u><\/a>, the hackers behind this campaign have been impersonating tax agencies in various countries, including the U.S. (IRS), the U.K. (HM Revenue & Customs), France (Direction G\u00e9n\u00e9rale des Finances Publiques), Germany (Bundeszentralamt f\u00fcr Steuern), Italy (Agenzia delle Entrate) and, as of Aug. 19, India (Income Tax Department) and Japan (National Tax Agency). Each email lure was customized and written in the language of the tax authority being impersonated.<\/p>\n

\n
<\/div>\n<\/p><\/div>\n

Proofpoint analysts found that the hackers tailored their phishing emails to match the target\u2019s country of residence based on publicly available information rather than the organization\u2019s location or the language suggested by the email address. For example, some targets in a European organization received emails impersonating the IRS because they were linked to the U.S. in public records. In some cases, the hackers mixed up the country of residence when the target shared a name with a more prominent individual.<\/p>\n

\n
<\/div>\n<\/p><\/div>\n

The email also tries to mimic the email of the government agency. For example, the U.S. folks were sent fake emails using “no_reply_irs[.]gov@amecaindustrial[.]com.”<\/p>\n

\n
\"New<\/source><\/source><\/source><\/source><\/picture><\/div>\n
\n
\n

Email that tries to mimic the email of a government agency (Proofpoint)<\/span> (Kurt “CyberGuy” Knutsson)<\/span><\/p>\n<\/div>\n<\/div>\n<\/div>\n

The attack cleverly unfolds on your device<\/strong><\/h2>\n

In the fake email, hackers impersonating the government warn you about changes in the tax rates and tax systems and ask you to click a link to read a detailed guide. Clicking on the link brings you to a landing page, which uses Google AMP Cache URLs to redirect you to a page with a “Click to view document” button.<\/p>\n

\n
<\/div>\n<\/p><\/div>\n

After you click the button, the hackers check if you\u2019re using a Windows device. If you are, you\u2019ll be redirected to another page. When you interact with that page, it triggers a download that looks like a PDF file in your PC\u2019s download folder, but it\u2019s actually an LNK or ZIP file hosted on an external server.<\/p>\n

When you open the file, it runs a Python script from another server without actually downloading the script to your computer. This script collects system information to profile you, while a fake PDF opens to hide the malicious activity.<\/p>\n

\n
\"New<\/source><\/source><\/source><\/source><\/picture><\/div>\n
\n
\n

Download that looks like PDF file in your PC\u2019s download folder (Proofpoint)<\/span> (Kurt “CyberGuy” Knutsson)<\/span><\/p>\n<\/div>\n<\/div>\n<\/div>\n

Voldemort uses Google Sheets to store data<\/strong><\/h2>\n
\n
<\/div>\n<\/p><\/div>\n

Once the malware has successfully infected your Windows device, it can:<\/p>\n