Google recently disclosed new activity by APT41. This is a Chinese state-sponsored threat actor. The group utilized malware named TOUGHPROGRESS. This malware leveraged Google Calendar for command-and-control (C2). Google discovered this activity in late October 2024. The malware was hosted on a compromised government website. It was then used to target other government entities. APT41 often misuses cloud services for command-and-control. This tactic helps their malicious activity blend in. The group is known for targeting governments. They also attack shipping, media, and technology sectors.
The latest documented attack chain started with spear-phishing emails. These emails contained a link to a ZIP archive. This archive was hosted on the exploited government website. The ZIP file included a directory and a Windows LNK file. The LNK file was disguised as a PDF document. The infection began when the LNK file was launched. A decoy PDF about export declarations was then presented. The malware employed fake image files for its components. It used various stealth and evasion techniques. These included memory-only payloads and encryption. Three distinct components were deployed in series.
TOUGHPROGRESS is the primary malware component.
It uniquely uses Google Calendar for command and control. The malware reads and writes events. This occurs within an attacker-controlled Google Calendar. Harvested data is stored in event descriptions. Attackers place encrypted commands in specific calendar events. The malware polls these events for its instructions. It executes these commands on the compromised Windows host. Results are then written back to other calendar events. Google has taken steps to neutralize this campaign. They took down the malicious Google Calendar instance.
Associated Workspace projects were also terminated by Google.
This is not the first instance of APT41 abusing Google’s services. In April 2023, they targeted a Taiwanese media organization. They used Google Drive and Google Sheets for C2 in that attack. Using Google Calendar as a C2 mechanism is not entirely novel. Other threat actors have adopted similar tactics previously. APT41 has a history of conducting various campaigns. They targeted global entities in July 2024. Japanese companies faced attacks in March 2024. This highlights APT41’s adaptability and persistent nature. Google has notified affected organizations and shared intelligence.
Reference:
