Related Posts
- Advertisement -
- Google found Chinese hackers who abuse Google Agenda
- The service was used to host malignant instructions and to exfil results
- Toughprogress campaign was performed by Chinese by the state sponsored Hackers APT41
Chinese Hackers Sponsored by the Government known as APT41 have abused Google Agenda in their latest attacks, using it as part of the C2 infrastructure.
Google’s Threat Intelligence Group (TIG) recently discovered the technology, has dismantled the setup and changed changes to prevent similar attacks in the future.
The attack starts with a previously compromised government website – Tig did not explain how the site was compromised, but said it was used to host a .zip archive. This archive is then shared, via phishing -e -mails, with potential goals.
Read the calendar
There are three files in the ZIP: a DLL and executable files that occur as JPGS and a Windows Shortcut file (LNK) that occurs as a PDF document.
When the victim tries to open the fake -pdf, it turns the shortcut that in turn activates the DLL.
This file, in turn, decodes and launches the third file, which is the malicious payload, called “StowerProgress”.
The malware then reads additional instructions that are shared in two specific events in Google Agenda. The assignments can be found in the description or hidden events field.
To share the results, the malware would create a new zero minute calendar Event on 30 May, and share the data, coded, in the description of the agenda event.
Because the malware is never actually installed on the disk, and because the C2 communication takes place via a legitimate Google service, most security products will have difficulty finding the attack, Google suggests.
To tackle the threat, TIG developed adapted detection signs to identify and block the malware of APT41. It also handed in accompanying workspace accounts and calendar entrances. Moreover, the team has updated files and malignant domains and URLs to the Google Safe Browsingsblowlist.
Google also confirmed that at least a few companies were the target: “In collaboration with Mandiant Consulting, GTIG reported the compromised organizations,” said it.
“We have given the registered organizations a sample of tough Progress network traffic books and information about the threat actor to help with detection and incidentresponge.”
It was not said how many companies were affected.
Maybe you like it too
- Advertisement -
