Go Back   Carder.life > [en] International Forum > Carding News
Reload this Page APT41 malware abuses Google Calendar for stealthy C2 communication

CARDER.MARKET - CARDING FORUM FOR PROFESSIONAL CARDERS


Reply
 
Thread Tools Display Modes
  #1  
Old 05-29-2025, 12:38 PM
Artifact's Avatar

Artifact Artifact is offline
Administrator
Join Date: Jan 2024
Posts: 0
Default


The Chinese APT41 hacking group uses a new malware named 'ToughProgress' that exploits Google Calendar for command-and-control (C2) operations, hiding malicious activity behind a trusted cloud service.



The campaign was discovered by Google's Threat Intelligence Group, which identified and dismantled attacker-controlled Google Calendar and Workspace infrastructure and introduced targeted measures to prevent such abuse in the future.



Using Google Calendar as a C2 mechanism is not a novel technique, and Veracode recently reported about a malicious package in the Node Package Manager (NPM) index following a similar tactic.



Also, APT41 is known for abusing Google services before, like using Google Sheets and Google Drive in a Voldemort malware campaign in April 2023.













Overview of the attack

APT41 attack flow



The attack starts with a malicious email sent to targets, linking to a ZIP archive hosted on a previously compromised government website.



The archive contains a Windows LNK file pretending to be a PDF document, a primary payload masqueraded as a JPG image file, and a DLL file used for decrypting and launching the payload, also camouflaged as an image file.



"The files "6.jpg" and "7.jpg" are fake images. The first file is actually an encrypted payload and is decrypted by the second file, which is a DLL file launched when the target clicks the LNK," explains Google.



The DLL is 'PlusDrop,' a component that decrypts and executes the next stage, 'PlusInject,' entirely in memory.



Next, PlusInject performs process hollowing on the legitimate Windows process 'svhost.exe' and injects the final stage 'ToughProgress.'



The malware connects to a hardcoded Google Calendar endpoint and polls specific event dates for commands APT41 adds in the description field of hidden events.













One of APT41's Calendar events

After executing them, ToughProgress returns the results into new calendar events so the attacker can adjust their next steps accordingly.













The encrypted exchange

With payloads never touching the disk and the C2 communication happening over a legitimate cloud service, the chances of getting flagged by security products on the infected host are minimal.



Disrupting the activity



Google identified attacker-controlled Google Calendar instances and terminated all related Workspace accounts and the offending Calendar events.



Google's Safe Browsing blocklist was also updated accordingly, so users will get a warning when visiting associated sites, and traffic from those sites will be blocked across all of the tech giant's products.



The report does not name any specific compromised organizations or victims, but Google says it notified them directly in collaboration with Mandiant. Google also shared ToughProgress samples and traffic logs with victims to help them pinpoint infections in their environments.



@ BleepingComputer
Reply

Tags
NULL

« Previous Thread | Next Thread »

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is On
Forum Jump




All times are GMT. The time now is 10:11 AM.

Contact Us - Carder.life - Archive - Top