Google Calendar leveraged by Chinese cyber attackers in covert operation
Chinese state-backed hackers, identified as APT41, have been uncovered leveraging Google Calendar to execute cyberattacks. The hackers used the popular service as part of their command and control (C2) infrastructure.
According to Google's Threat Analysis Group (TIG), this latest attack strategy was dismantled, with measures taken to prevent future abuse.
The attack commenced via a previously compromised government website. Although details about the compromise were not disclosed, TIG revealed that the site hosted a .ZIP archive, which was later shared via phishing emails to potential targets.
Upon opening the phishing email, victims unknowingly activated a payload called "ToughProgress." This malware would then read instructions from specific events in the Google Calendar, either hidden or found in the description field.
The compromised data was encrypted and shared in the calendar event description through a zero-minute calendar event created on May 30. Most security products may find it challenging to identify this attack due to the malware's elusive manner, as it resides only in memory and communicates via a legitimate Google service.
To counteract the threat, TIG developed custom detection signatures to identify and prevent APT41's malware. Furthermore, affected Workspace accounts and calendar entries were eliminated. Additionally, file detections were updated, and malicious domains and URLs were added to the Google Safe Browsing blocklist.
Google confirmed that several businesses were targeted, in partnership with Mandiant Consulting, notifying the affected organizations and providing them with information to enhance detection and response efforts. They, however, did not disclose the exact number of affected companies.
It's worth noting that APT41's malware comprises three modules: PLUSDROP, PLUSINJECT, and TOUGHPROGRESS. Upon execution, the TOUGHPROGRESS module collects data from the infected host and communicates with the attackers via Google Calendar.
This innovative use of Google Calendar by APT41 offers a covert and discreet method for communication with compromised devices, masking its activities among the service's legitimate operations, thus avoiding detection.
The cybersecurity threat, executed by the Chinese state-backed hackers known as APT41, utilizes technology such as Google Calendar and phishing emails to carry out their attacks. To combat this, Google's Threat Analysis Group (TIG) has developed custom detection signatures and taken measures to prevent future abuse, especially as it pertains to the use of Google Calendar in such malicious activities.
