The Chinese APT41 hacking group uses a new malware named ‘ToughProgress’ that exploits Google Calendar for command-and-control (C2) operations, hiding malicious activity behind a trusted cloud service.
The campaign was discovered by Google’s Threat Intelligence Group, which identified and dismantled attacker-controlled Google Calendar and Workspace infrastructure and introduced targeted measures to prevent such abuse in the future.
Using Google Calendar as a C2 mechanism is not a novel technique, and Veracode recently reported about a malicious package in the Node Package Manager (NPM) index following a similar tactic.
Also, APT41 is known for abusing Google services before, like using Google Sheets and Google Drive in a Voldemort malware campaign in April 2023.
Source: Google
APT41 attack flow
The attack starts with a malicious email sent to targets, linking to a ZIP archive hosted on a previously compromised government website.
The archive contains a Windows LNK file pretending to be a PDF document, a primary payload masqueraded as a JPG image file, and a DLL file used for decrypting and launching the payload, also camouflaged as an image file.
“The files “6.jpg” and “7.jpg” are fake images. The first file is actually an encrypted payload and is decrypted by the second file, which is a DLL file launched when the target clicks the LNK,” explains Google.
The DLL is ‘PlusDrop,’ a component that decrypts and executes the next stage, ‘PlusInject,’ entirely in memory.
Next, PlusInject performs process hollowing on the legitimate Windows process ‘svhost.exe’ and injects the final stage ‘ToughProgress.’
The malware connects to a hardcoded Google Calendar endpoint and polls specific event dates for commands APT41 adds in the description field of hidden events.
Source: Google
After executing them, ToughProgress returns the results into new calendar events so the attacker can adjust their next steps accordingly.
Source: Google
With payloads never touching the disk and the C2 communication happening over a legitimate cloud service, the chances of getting flagged by security products on the infected host are minimal.
Disrupting the activity
Google identified attacker-controlled Google Calendar instances and terminated all related Workspace accounts and the offending Calendar events.
Google’s Safe Browsing blocklist was also updated accordingly, so users will get a warning when visiting associated sites, and traffic from those sites will be blocked across all of the tech giant’s products.
The report does not name any specific compromised organizations or victims, but Google says it notified them directly in collaboration with Mandiant. Google also shared ToughProgress samples and traffic logs with victims to help them pinpoint infections in their environments.
Based on an analysis of 14M malicious actions, discover the top 10 MITRE ATT&CK techniques behind 93% of attacks and how to defend against them.
