Carder.life

Carder.life (http://txgate.io:443/index.php)
-   Carding News (http://txgate.io:443/forumdisplay.php?f=38)
-   -   APT41 malware abuses Google Calendar for stealthy C2 communication (http://txgate.io:443/showthread.php?t=51300652)

Artifact 05-29-2025 12:38 PM
<div id="post_message_794273">

The Chinese APT41 hacking group uses a new malware named 'ToughProgress' that exploits Google Calendar for command-and-control (C2) operations, hiding malicious activity behind a trusted cloud service.<br/>
<br/>
The campaign was discovered by <a href="https://cloud.google.com/blog/topics/threat-intelligence/apt41-innovative-tactics" target="_blank">Google's Threat Intelligence Group</a>, which identified and dismantled attacker-controlled Google Calendar and Workspace infrastructure and introduced targeted measures to prevent such abuse in the future.<br/>
<br/>
Using Google Calendar as a C2 mechanism is not a novel technique, and<a href="https://www.bleepingcomputer.com/news/security/malicious-npm-package-uses-unicode-steganography-to-evade-detection/" target="_blank"> Veracode recently reported</a> about a malicious package in the Node Package Manager (NPM) index following a similar tactic.<br/>
<br/>
Also, APT41 is known for abusing Google services before, like using Google Sheets and Google Drive in a <a href="https://www.bleepingcomputer.com/news/security/new-voldemort-malware-abuses-google-sheets-to-store-stolen-data/" target="_blank">Voldemort malware campaign</a> in April 2023.<br/>
<br/>
<img alt="" border="0" class="bbCodeImage" src="https://www.bleepstatic.com/images/news/u/1220909/2025/May/attack.jpg"/><br/>
<div style="margin:20px; margin-top:5px; ">
<!-- <div class="smallfont" style="margin-bottom:2px">Quote:</div> -->
<table border="0" cellpadding="6" cellspacing="0" width="100%">
<tr>
<td class="alt2" style="background: rgb(37, 37, 37) none repeat scroll 0% 0%; border: 1px solid rgb(0, 0, 0); border-radius: 5px; font-size: 11px; text-shadow: none;">

Overview of the attack

</td>
</tr>
</table>
</div><b><font size="4"><font color="White">APT41 attack flow</font></font></b><br/>
<br/>
The attack starts with a malicious email sent to targets, linking to a ZIP archive hosted on a previously compromised government website.<br/>
<br/>
The archive contains a Windows LNK file pretending to be a PDF document, a primary payload masqueraded as a JPG image file, and a DLL file used for decrypting and launching the payload, also camouflaged as an image file.<br/>
<br/>
"The files "6.jpg" and "7.jpg" are fake images. The first file is actually an encrypted payload and is decrypted by the second file, which is a DLL file launched when the target clicks the LNK," explains Google.<br/>
<br/>
The DLL is 'PlusDrop,' a component that decrypts and executes the next stage, 'PlusInject,' entirely in memory.<br/>
<br/>
Next, PlusInject performs process hollowing on the legitimate Windows process 'svhost.exe' and injects the final stage 'ToughProgress.'<br/>
<br/>
The malware connects to a hardcoded Google Calendar endpoint and polls specific event dates for commands APT41 adds in the description field of hidden events.<br/>
<br/>
<img alt="" border="0" class="bbCodeImage" src="https://www.bleepstatic.com/images/news/u/1220909/2025/May/event.jpg"/><br/>
<div style="margin:20px; margin-top:5px; ">
<!-- <div class="smallfont" style="margin-bottom:2px">Quote:</div> -->
<table border="0" cellpadding="6" cellspacing="0" width="100%">
<tr>
<td class="alt2" style="background: rgb(37, 37, 37) none repeat scroll 0% 0%; border: 1px solid rgb(0, 0, 0); border-radius: 5px; font-size: 11px; text-shadow: none;">

One of APT41's Calendar events

</td>
</tr>
</table>
</div>After executing them, ToughProgress returns the results into new calendar events so the attacker can adjust their next steps accordingly.<br/>
<br/>
<img alt="" border="0" class="bbCodeImage" src="https://www.bleepstatic.com/images/news/u/1220909/2025/May/encryption.jpg"/><br/>
<div style="margin:20px; margin-top:5px; ">
<!-- <div class="smallfont" style="margin-bottom:2px">Quote:</div> -->
<table border="0" cellpadding="6" cellspacing="0" width="100%">
<tr>
<td class="alt2" style="background: rgb(37, 37, 37) none repeat scroll 0% 0%; border: 1px solid rgb(0, 0, 0); border-radius: 5px; font-size: 11px; text-shadow: none;">

The encrypted exchange

</td>
</tr>
</table>
</div>With payloads never touching the disk and the C2 communication happening over a legitimate cloud service, the chances of getting flagged by security products on the infected host are minimal.<br/>
<br/>
<b><font size="4"><font color="white">Disrupting the activity</font></font></b><br/>
<br/>
Google identified attacker-controlled Google Calendar instances and terminated all related Workspace accounts and the offending Calendar events.<br/>
<br/>
Google's Safe Browsing blocklist was also updated accordingly, so users will get a warning when visiting associated sites, and traffic from those sites will be blocked across all of the tech giant's products.<br/>
<br/>
The report does not name any specific compromised organizations or victims, but Google says it notified them directly in collaboration with Mandiant. Google also shared ToughProgress samples and traffic logs with victims to help them pinpoint infections in their environments.<br/>
<br/>
<a href="https://www.bleepingcomputer.com/news/security/apt41-malware-abuses-google-calendar-for-stealthy-c2-communication/" target="_blank">@ BleepingComputer</a>
</div>


All times are GMT. The time now is 08:53 PM.

Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2025, vBulletin Solutions, Inc.