APT41 Malware Abuses Google Calendar for Stealthy C2 Communication
A new malware campaign by the Chinese APT41 hacking group has been discovered, exploiting Google Calendar for command-and-control (C2) operations. The malicious activity is hidden behind a trusted cloud service, making it challenging to detect and respond to.
The APT41 group uses a malware named 'ToughProgress' that takes advantage of Google Calendar's functionality to execute covert C2 communications. This tactic is not new, as Veracode recently reported on a malicious package in the Node Package Manager (NPM) index following a similar approach. APT41 has previously abused Google services, such as using Google Sheets and Google Drive in a Voldemort malware campaign in April 2023.
The attack begins with a malicious email sent to targets, linking to a ZIP archive hosted on a previously compromised government website. The archive contains a Windows LNK file pretending to be a PDF document, a primary payload masqueraded as a JPG image file, and a DLL file used for decrypting and launching the payload.
"The files '6.jpg' and '7.jpg' are fake images," explains Google. "The first file is actually an encrypted payload, which is decrypted by the second file, which is a DLL file launched when the target clicks the LNK." The DLL is 'PlusDrop,' a component that decrypts and executes the next stage, 'PlusInject,' entirely in memory.
Next, PlusInject performs process hollowing on the legitimate Windows process 'svhost.exe' and injects the final stage 'ToughProgress.' The malware connects to a hardcoded Google Calendar endpoint and polls specific event dates for commands APT41 adds in the description field of hidden events. After executing them, ToughProgress returns the results into new calendar events so the attacker can adjust their next steps accordingly.
The chances of getting flagged by security products on the infected host are minimal due to payloads never touching the disk and C2 communication happening over a legitimate cloud service. Google identified attacker-controlled Google Calendar instances and terminated all related Workspace accounts and the offending Calendar events. Google's Safe Browsing blocklist was also updated accordingly, so users will get a warning when visiting associated sites, and traffic from those sites will be blocked across all of the tech giant's products.
Google notified the victims directly in collaboration with Mandiant and shared ToughProgress samples and traffic logs with them to help them pinpoint infections in their environments. This incident highlights the importance of monitoring Google services for malicious activity and implementing targeted measures to prevent such abuse in the future.
Top 10 MITRE ATT&CK Techniques Behind 93% of Attacks
An analysis of 14M malicious actions reveals the top 10 MITRE ATT&CK techniques behind 93% of attacks. Discover how to defend against these techniques and stay ahead of emerging threats.
Threat Actor Abuse of Google Apps Script in Evasive Phishing Attacks
Hackers behind UK retail attacks are now targeting US companies using evasive phishing attacks that abuse Google Apps Script. Learn more about this threat and how to protect yourself.
Czechia Blames China for Ministry of Foreign Affairs Cyberattack
Czechia has accused China of being responsible for a cyberattack on the Ministry of Foreign Affairs. Read more about this incident and its implications.
Google Claims Users Find Ads in AI Search 'Helpful'
Google claims that users find ads in AI search results 'helpful.' Learn more about this development and its potential impact on online advertising.
Google Fixes Android Zero-Day Exploited by Serbian Authorities
Google has fixed an Android zero-day vulnerability exploited by Serbian authorities. Read more about this patch and its significance.