- Google found Chinese hackers who abused Google Calendar
- The service was used to host malicious instructions and to exfilter results
- Tough Progress Campaign was carried out by Chinese State Supported Hackers APT41
Chinese state-sponsored hackers known as APT41 have been seen abuse of Google Calendar in their latest attack using it as part of the C2 infrastructure.
Google’s threat information group (TIG) recently discovered the technique, dismantled the setup and introduced changes to prevent similar attacks in the future.
The attack starts from a previously compromised government site – TIG did not explain how the site was compromised, but said it was used to host a .zip archive. This archive is then shared through phishing -e emails with potential goals.
Reading the calendar
Inside the ZIP are three files: a dll and executable files that make up as JPGS, and a Windows debt File (LNK) that forms a PDF document.
When the victim tries to open the fake PDF, it runs the shortcut, which in turn activates Dll.
This file decrypts and launches in its page the third file, which is the malicious payload called “Tough Progress”.
Malware then reads additional instructions that are divided into two specific events in the Google Calendar. The commands are found either within the description field or hidden events.
To share the results, Malware would create a new zero -minute -calendar event on May 30 and share the data, encrypted, in the calendar event description.
Since Malware is never actually installed on the disk and since the C2 communication is done via a legitimate Google Service, most security products will have trouble detecting the attack, Google suggests.
To tackle the threat, TIG developed custom detection signatures to identify and block the APT41S malware. It also removed associated work area accounts and calendar items. In addition, the team updated file detections and added malicious domains and URLs to Google Safe Browsing Blocklist.
Google also confirmed that at least a few companies were targeted: “In partnership with Mandiant Consulting, GIRL informed the compromised organizations,” it said.
“We provided the notified organizations with a test of Tough Progress Network traffic logs and information about the threat actor to help with detection and event response.”
It did not say how many companies were affected.
Via Bleeping computer
