Chinese state-sponsored cyber espionage group APT41, also known as HOODOO, abused Google Calendar as a command and control tool. The specialized malware stored encrypted commands and exfiltrated data as calendar events.
The sophisticated attack chain was recently uncovered by the Google Threat Intelligence Group (GTIG).
Chinese hackers from APT41 used Google Calendar to execute commands on compromised systems. They leveraged the tool to obtain exfiltrated data while blending with legitimate traffic.
Many threat actors abuse legitimate services to evade detection. However, APT41’s maneuvering was unheard of before.
APT41 is infamous for targeting governments, global shipping and logistics, media and entertainment, technology, and automotive companies.
The novel technique was detected in late October 2024, when GTIG discovered a compromised government website hosting malware, targeting government entities, and taking advantage of Google Calendar.
How does the attack work?
First, APT41 needed to compromise the targeted system. It relied on sending spear phishing emails containing malicious links. The links led to a ZIP archive hosted on the compromised government website.
ZIP archive contained a shortcut (LNK) file pretending to be a PDF and a folder with seven images, two of which were fake and executed malware.
One of the three modules comprising the malware, dubbed TOUGHPROGRESS, executes actions on the compromised Windows host using Google Calendar for command-and-control.
It reads and writes calendar events to communicate with the attackers and uses event descriptions for data exfiltration.
“Once executed, TOUGHPROGRESS creates a zero-minute Calendar event at a hardcoded date, 2023-05-30, with data collected from the compromised host being encrypted and written in the Calendar event description,” Google explains.
The malware has predetermined dates hardcoded to check for commands in Calendar. It starts polling Calendar, and when an event is retrieved, the malware then decrypts it from event description and executes on the compromised computer.
This method allowed APT41 to blend malicious activities with legitimate Google Calendar usage.
“We have developed custom fingerprints to identify and take down attacker-controlled Calendars,” GTIG said in the report.
“We have also terminated attacker-controlled Workspace projects, effectively dismantling the infrastructure that APT41 relied on for this campaign. Additionally, we updated file detections and added malicious domains and URLs to the Google Safe Browsing blocklist.”
Google also notified compromised organizations and provided them with aid to detect and mitigate the incident.
It’s not the first time APT41 has used Google's services. In April 2023, it controlled malware using Google Sheets and exfiltrated data to Google Drive. Later, APT41 abused Google AMP (Accelerated Mobile Pages) cache URLs that redirected to password-protected 7-Zip files hosted on OpenDrive.
GTIG warns that APT continues to use free web hosting tools for malware distribution. The hackers send malicious links to hundreds of targets across the globe.
Your email address will not be published. Required fields are markedmarked