- Google found Chinese computer pirates who abuse Google calendar
- The service was used to accommodate malicious instructions and to exfiltrate the results
- The Taughprogress campaign was carried out by hackers sponsored by the Chinese state APT41
Computer pirates have been seen sponsored by the State known as APT41 abusing Google calendar in their new attacks, using it as part of the C2 infrastructure.
The Google threat intelligence group (TIG) recently discovered the technique, dismantled the configuration and introduced changes to avoid similar attacks in the future.
The attack begins from a previously compromised government website: TIG did not explain how the site was committed, but said it was used to organize a .ZIP file. This file is then shared through phishing emails, with possible objectives.
Reading the calendar
Within the ZIP there are three files: a DLL and executable files that are passed through JPGS, and a direct Windows (LNK) access file that is posed as a PDF document.
When the victim tries to open the false PDF, he executes the shortcut that, in turn, activates the DLL.
This file, in turn, decipher and starts the third file, which is the malicious payload called “Toughprogress”.
The malware then reads additional instructions shared in two specific events in the Google calendar. The commands are in the field description or hidden events.
To share the results, the malware would create a new zero -minute calendar event on May 30 and share the data, encrypted, in the description of the calendar event.
Since the malware is never really installed on the disc, and since communication C2 occurs through a legitimate Google service, most safety products will have problems detecting the attack, Google suggests.
To address the threat, TIG developed custom detection signatures to identify and block the APT41 malware. He also eliminated the accounts of the associated work space and calendar entrances. In addition, the team updated file detections and added malicious domains and URLs to Google Safe’s navigation block list.
Google also confirmed that at least some companies were attacked: “In association with Mandiant Consulting, GTIG notified committed organizations,” he said.
“We provide notified organizations with a sample of traffic records of hard progress networks, and information about the threat actor, to help with the detection and response to incidents.”
He did not say how many companies were affected.
Through Bleepingcomputer
