Recommended reading

Chinese hackers use Google Calendar in stealthy new attack

News
By published

Google responds by dismantling the infrastructure

a screenshot of google calendar
(Image credit: Shutterstock)
  • Google found Chinese hackers abusing Google Calendar
  • The service was used to host malicious instructions and to exfiltrate results
  • ToughProgress campaign was carried out by Chinese state-sponsored hackers APT41

Chinese state-sponsored hackers known as APT41 have been seen abusing Google Calendar in their newest attacks, using it as part of the C2 infrastructure.

Google’s Threat Intelligence Group (TIG) recently discovered the technique, dismantled the setup, and introduced changes to prevent similar attacks in the future.

The attack starts from a previously compromised government website - TIG did not explain how the site was compromised, but said it was used to host a .ZIP archive. This archive is then shared, through phishing emails, with potential targets.

Reading the calendar

Inside the ZIP are three files: a DLL and executable files posing as JPGs, and a Windows shortcut file (LNK) posing as a PDF document.

When the victim tries to open the fake PDF, it runs the shortcut which, in turn, activates the DLL.

This file, in turn, decrypts and launches the third file, which is the malicious payload dubbed “ToughProgress”.

The malware then reads additional instructions shared in two specific events in Google Calendar. The commands are found either in the description field, or hidden events.

To share the results, the malware would create a new zero minute calendar event on May 30, and share the data, encrypted, in the calendar event description.

Since the malware is never actually installed on the disk, and since the C2 communication happens via a legitimate Google service, most security products will have trouble spotting the attack, Google suggests.

To tackle the threat, TIG developed custom detection signatures to identify and block APT41’s malware. It also took down associated Workspace accounts and calendar entries. Furthermore, the team updated file detections and added malicious domains and URLs to the Google Safe Browsing blocklist.

Google also confirmed that at least a few companies were targeted: “In partnership with Mandiant Consulting, GTIG notified the compromised organizations,” it said.

“We provided the notified organizations with a sample of TOUGHPROGRESS network traffic logs, and information about the threat actor, to aid with detection and incident response.”

It did not say how many companies were affected.

Via BleepingComputer

You might also like

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.