Might 29, 2025Ravie LakshmananMalware / Cloud Safety
Google on Wednesday disclosed that the Chinese language state-sponsored risk actor often known as APT41 leveraged a malware known as TOUGHPROGRESS that makes use of Google Calendar for command-and-control (C2).
The tech large, which found the exercise in late October 2024, stated the malware was hosted on a compromised authorities web site and was used to focus on a number of different authorities entities.
“Misuse of cloud companies for C2 is a way that many risk actors leverage with a purpose to mix in with reputable exercise,” Google Risk Intelligence Group (GTIG) researcher Patrick Whitsell stated.
APT41, additionally tracked as Axiom, Blackfly, Brass Hurricane (previously Barium), Bronze Atlas, Earth Baku, HOODOO, Purple Kelpie, TA415, Depraved Panda, and Winnti, is the identify assigned to a prolific nation-state group identified for its concentrating on of governments and organizations inside the world transport and logistics, media and leisure, expertise, and automotive sectors.
In July 2024, Google revealed that a number of entities working inside these business verticals in Italy, Spain, Taiwan, Thailand, Turkey, and the U.Okay. had been focused by a “sustained marketing campaign” utilizing a mix of internet shells and droppers like ANTSWORD, BLUEBEAM, DUSTPAN, and DUSTTRAP.
Then earlier this yr, a sub-cluster inside the APT41 umbrella was recognized as attacking Japanese firms within the manufacturing, supplies, and vitality sectors in March 2024 as a part of a marketing campaign dubbed RevivalStone.
The newest assault chain documented by Google includes sending spear-phishing emails containing a hyperlink to a ZIP archive that is hosted on the exploited authorities web site. The ZIP file features a listing and a Home windows shortcut (LNK) that masquerades as a PDF doc. The listing options what seem like seven totally different pictures of arthropods (from “1.jpg” to “7.jpg”).
The an infection begins when the LNK file is launched, inflicting a decoy PDF to be introduced to the recipient stating the species pulled from the listing must be declared for export. Nonetheless, it is price noting that “6.jpg” and “7.jpg” are faux pictures.
“The primary file is definitely an encrypted payload and is decrypted by the second file, which is a DLL file launched when the goal clicks the LNK,” Whitsell stated, including the malware implements varied stealth and evasion strategies, equivalent to memory-only payloads, encryption, compression, and management circulate obfuscation.
The malware consists of three distinct parts, every of that are deployed in sequence and are designed to hold out a particular perform –
PLUSDROP, the DLL used to decrypt and execute the next-stage in reminiscence
PLUSINJECT, which launches and performs course of hollowing on a reputable “svchost.exe” course of to inject the ultimate payload
TOUGHPROGRESS, the first malware that makes use of Google Calendar for C2
The malware is designed to learn and write occasions with an attacker-controlled Google Calendar, making a zero-minute occasion at a hard-coded date (2023-05-30) with a purpose to retailer the harvested information within the occasion description.
The operators place encrypted instructions in Calendar occasions on July 30 and 31, 2023, that are then polled by the malware, decrypted, executed on the compromised Home windows host, and the outcomes written again to a different Calendar occasion from the place they are often extracted by the attackers.
Google stated it has taken the step of taking down the malicious Google Calendar and terminated the related Workspace tasks, thereby neutralizing the entire marketing campaign. It additionally stated that affected organizations had been notified. The precise scale of the marketing campaign is unclear.
This isn’t the primary time APT41 has weaponized Google’s companies to its benefit. In April 2023, Google disclosed that the risk actor focused an unnamed Taiwanese media group to ship a Go-based open-source crimson teaming instrument often known as Google Command and Management (GC2) delivered through password-protected information hosted on Google Drive.
As soon as put in, GC2 acts as a backdoor to learn instructions from Google Sheets and exfiltrate information utilizing the cloud storage service.
Discovered this text attention-grabbing? Comply with us on Twitter and LinkedIn to learn extra unique content material we put up.
