Google’s Threat Intelligence Group (GTIG) has unveiled a well-planned and executed cyber-espionage tactic, performed by a Chinese state-sponsored hacking group, APT41 or HOODOO.
The bad actor group developed an unconventional way to steal data by using Google Calendar as a conduit to communicate with one of their C2 servers. That approach helps them mix their malice with white noise to make detections that much harder.
Detected in late October 2024, the campaign included spear-phishing emails that appeared to be directed at government organisations.
These emails included links to weaponized ZIP files hosted on hijacked government websites. When the malicious file is opened, a shortcut, which is masked as a pdf file, begins a multi-stage malware infection.
The last payload, called “TOUGHPROGRESS” by researchers, stands out for its misuse of Google Calendar. After being installed on a victim’s system, TOUGHPROGRESS generates zero-minute calendar events with named hardcoded dates.
The summaries serve to save the encrypted data stolen from a breached system. In addition, the attackers also hide encrypted commands in other calendar events.
The malware pings the attacker’s calendar every so often, decrypts any new commands, carries them out on the infected device, and uploads the data to the calendar as new encrypted events.
This technique of using popular and legitimate cloud service such as Google Calendar for C2 activity has its own advantages for the attackers.
It lets them conceal their messages in ordinary internet traffic, circumventing conventional security systems that are likely to cancel connections to shady or unfamiliar domains. It also has the advantage of using a familiar platform, meaning we’re less likely to have users or automated systems triggering alerts as a result of calendar activity.
GTIG at Google has acted to disrupt this campaign by creating custom fingerprints to identify and remove the calendars and Workspace projects controlled by the attacker.
They have Posted another update to the malware detection system and Added the malicious domains/URLs to the Google Safe Browsing blocklist.
Organizations that have been impacted have already been notified and have been provided with a technical description to help them defend themselves and recover.
This incident represents the new M.O. of advanced cyber threat actors who are exploiting well-regarded cloud technologies for duplicitous purposes.
Security professionals recommend that enterprises stay on the lookout and train end users to be aware of phishing activities, as well as deploy a comprehensive endpoint detection and response tool to hunt and respond to these advanced attacks.
The exploitation of trusted systems such as Google Calendar highlights the importance of ongoing careful scrutiny of even innocuous-seeming applications for signs of anomalous behavior.
