Chinese state-sponsored hacking group APT41, also known as HOODOO, has been found abusing the Google Command and Control (GC2) red teaming tool in data theft attacks against a Taiwanese media and an Italian job search company.
The group is known for targeting a wide range of industries in the USA, Asia, and Europe, and has been tracked by Mandiant since 2014. GC2 is an open-source project designed for red teaming activities and consists of an agent that is deployed on compromised devices, which then connects back to a Google Sheets URL to receive commands to execute.
APT41 attempted to distribute the GC2 agent through phishing emails to a Taiwanese media company in October 2022. Google’s Threat Analysis Group (TAG) disrupted the campaign.
The group also used GC2 in attacks against an Italian job search website in July 2022. The agent enabled threat actors to deploy additional payloads on the device and exfiltrate data to Google Drive.
While it is not known what malware was distributed in these attacks, APT41 is known to deploy a wide variety of malware on compromised systems.
APT41’s use of GC2 is another indicator of a trend of threat actors moving to legitimate red teaming tools and remote monitoring and management (RMM) platforms as part of their attacks. Threat actors have started to shift to other red teaming tools, such as Brute Ratel and Sliver, to evade detection during their attacks.
Ransomware gangs have also begun abusing the Action1 RMM tool for persistence on compromised networks and to execute commands, scripts, and binaries.
Unfortunately, legitimate tools that can help red teamers conduct exercises or for admins to manage a network remotely can equally be abused by threat actors in their own attacks.
