Google Calendar was getting used as a communication channel by a bunch of hackers to extract delicate data from people, in accordance with the Google Risk Intelligence Group (GTIG). The tech big’s cybersecurity division found a compromised authorities web site in October 2024 and located that malware was being unfold utilizing it. As soon as the malware contaminated a tool, it will create a backdoor utilizing Google Calendar and permit the operator to extract knowledge. GTIG has already taken down the calendar accounts and different techniques that have been being utilized by the hackers.
Google Calendar Used By China-Linked Hackers for Command and Management (C2) Channel
GTIG detailed the supply methodology of the malware, the way it functioned, and the measures taken by Google’s group to guard customers and its product. The hacker related to this assault is alleged to be APT41, also referred to as HOODOO, a risk group believed to be linked to the Chinese language authorities.
An investigation by GTIG revealed that APT41 used a spear phishing methodology to ship malware to targets. Spear phishing is a focused type of phishing the place attackers personalise emails to particular people.
These emails contained a hyperlink to a ZIP archive that was hosted on the compromised authorities web site. When an unsuspecting particular person opened the archive, it confirmed a shortcut LNK file (.lnk), which was disguised to seem like a PDF, in addition to a folder.
Overview of how the malware functioned
Picture Credit score: GTIG
This folder contained seven JPG photographs of arthropods (bugs, spiders, and so forth.). GTIG highlighted that the sixth and seventh entries, nevertheless, are decoys that truly include an encrypted payload and a dynamic hyperlink library (DLL) file that decrypts the payload.
When the goal clicks the LNK file, it triggers each information. Curiously, the LNK file additionally mechanically deletes itself and is changed with a faux PDF, which is proven to the person. This file mentions that the species proven should be declared for export, prone to masks the hacking try and to keep away from elevating suspicion.
As soon as the malware has contaminated a tool, it operates in three completely different phases, the place every stage carries out a job in sequence. GTIG highlighted that each one three sequences are executed utilizing numerous stealth strategies to keep away from detection.
The primary stage decrypts and runs a DLL file named PLUSDROP immediately in reminiscence. The second stage launches a authentic Home windows course of and performs course of hollowing — a way utilized by attackers to run malicious code beneath the guise of a authentic course of — to inject the ultimate payload.
The ultimate payload, TOUGHPROGRESS, executes malicious duties on the system and communicates with the attacker through Google Calendar. It makes use of the cloud-based app as a communication channel through command and management (C2) method.
The malware provides a zero-minute calendar occasion on a hardcoded date (Might 30, 2023), which shops encrypted knowledge from the compromised laptop within the occasion’s description discipline.
It additionally creates two different occasions on hardcoded dates (July 30 and 31, 2023), which supplies the attacker a backdoor to speak with the malware. TOUGHPROGRESS commonly scans the calendar for these two occasions.
When the attacker sends an encrypted command, it decrypts it and executes the command. Then, it sends again the end result by creating one other zero-minute occasion with the encrypted output.
To disrupt the malware marketing campaign, GTIG created customized detection strategies that establish and take away APT41’s Google Calendar accounts. The group additionally shut down the attacker-controlled Google Workspace tasks, successfully disabling the infrastructure that was used within the operation.
Moreover, the tech big additionally up to date its malware detection techniques and blocked the malicious domains and URLs utilizing Google Secure Looking.
GTIG has additionally notified affected organisations, and offered them with samples of the malware’s community site visitors and particulars in regards to the risk actor to assist with detection, investigation, and response efforts.
