APT Hackers Turn Google Calendar Into Command Hub Using TOUGHPROGRESS Malware, Google Alerts

APT Hackers Turn Google Calendar Into Command Hub Using TOUGHPROGRESS Malware, Google Alerts

Google Threat Intelligence Group (GTIG), a sophisticated malware campaign dubbed “TOUGHPROGRESS” has been uncovered, orchestrated by the notorious PRC-based threat actor APT41, also known as HOODOO.

Identified in late October 2024, this campaign exploits a compromised government website to distribute malware, ingeniously leveraging Google Calendar as a command and control (C2) hub to manage compromised systems.

TOUGHPROGRESS campaign overview

Innovative Malware Exploits Google Calendar

APT41, known for targeting a wide array of sectors including global shipping, media, technology, and automotive industries, has once again demonstrated its knack for blending malicious activities with legitimate services, making detection a significant challenge for cybersecurity teams.

– Advertisement –
Google News

The TOUGHPROGRESS campaign begins with spear-phishing emails that lure victims into downloading a malicious ZIP archive from the exploited government site.

This archive contains an LNK file disguised as a PDF, accompanied by deceptive JPG images, two of which (“6.jpg” and “7.jpg”) are actually encrypted payloads and a DLL file responsible for decryption.

Dissecting the TOUGHPROGRESS Attack Chain

Upon execution, the malware deploys in three stages PLUSDROP, PLUSINJECT, and TOUGHPROGRESS itself each employing advanced evasion techniques such as memory-only payloads, process hollowing on legitimate “svchost.exe” processes, and intricate control flow obfuscation using register-based indirect calls and 64-bit register overflow.

The final stage, TOUGHPROGRESS, interfaces with Google Calendar by creating zero-minute events on hardcoded dates like May 30, 2023, to exfiltrate encrypted data from compromised hosts, while polling for commands on subsequent dates.

TOUGHPROGRESS Malware
Example of a Calendar event created by TOUGHPROGRESS

According to the Report,GTIG, in collaboration with Mandiant FLARE, reverse-engineered the C2 encryption protocol, revealing a layered approach involving LZNT1 compression and dual XOR key encryption.

In response, Google swiftly disrupted the campaign by developing custom detection signatures, dismantling attacker-controlled Workspace projects, updating Safe Browsing blocklists, and notifying affected organizations with critical threat intelligence.

This proactive stance underscores Google’s commitment to countering APT41’s persistent creativity, as seen in their historical abuse of Workspace apps and recent campaigns like VOLDEMORT and DUSTTRAP, which also exploited free web hosting services and URL shorteners for malware distribution.

Indicators of Compromise (IOCs)

Type Name/Description Value (SHA256 / MD5 or Domain/URL)
File Hash 出境海關申報清單.zip 469b534bec827be03c0823e72e7b4da0b84f53199040705da203986ef154406a / 876fb1b0275a653c4210aaf01c2698ec
File Hash 申報物品清單.pdf.lnk 3b88b3efbdc86383ee9738c92026b8931ce1c13cd75cd1cda2fa302791c2c4fb / 65da1a9026cf171a5a7779bc5ee45fb1
File Hash 6.jpg 50124174a4ac0d65bf8b6fd66f538829d1589edc73aa7cf36502e57aa5513360 / 1ca609e207edb211c8b9566ef35043b6
File Hash 7.jpg 151257e9dfda476cdafd9983266ad3255104d72a66f9265caa8417a5fe1df5d7 / 2ec4eeeabb8f6c2970dcbffdcdbd60e3
Domain Cloudflare Workers word[.]msapp[.]workers[.]dev, cloud[.]msapp[.]workers[.]dev
Domain TryCloudflare term-restore-satisfied-hence[.]trycloudflare[.]com, ways-sms-pmc-shareholders[.]trycloudflare[.]com
Domain InfinityFree resource[.]infinityfreeapp[.]com, pubs[.]infinityfreeapp[.]com
URL Shortener Various https[:]//lihi[.]cc/6dekU, https[:]//tinyurl[.]com/hycev3y7, https[:]//my5353[.]com/nWyTf, etc.

Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!


Source link