The Chinese state-sponsored hacking group APT41 was found abusing the GC2 (Google Command and Control) red teaming tool in data theft attacks against a Taiwanese media and an Italian job search company.
APT 41, also known as HOODOO, is a Chinese state-sponsored hacking group known to target a wide range of industries in the USA, Asia, and Europe. Mandiant has been tracking the hacking group since 2014, saying its activities overlap with other known Chinese hacking groups, such as BARIUM and Winnti.
In Google’s April 2023 Threat Horizons Report, released last Friday, security researchers in its Threat Analysis Group (TAG) revealed that APT41 was abusing the GC2 red teaming tool in attacks.
GC2, also known as Google Command and Control, is an open-source project written in Go that was designed for red teaming activities.
“This program has been developed in order to provide a command and control that does not require any particular set up (like: a custom domain, VPS, CDN, …) during Red Teaming activities,” reads the project’s GitHub repository.
“Furthermore, the program will interact only with Google’s domains (*.google.com) to make detection more difficult.”
The project consists of an agent that is deployed on compromised devices, which then connects back to a Google Sheets URL to receive commands to execute.
These commands cause the deployed agents to download and install additional payloads from Google Drive or exfiltrate stolen data to the cloud storage service.
GC2 abused in attacks
According to Google’s report, TAG disrupted an APT41 phishing attack against a Taiwanese media company that attempted to distribute the GC2 agent through phishing emails.
“In October 2022, Google’s Threat Analysis Group (TAG) disrupted a campaign from HOODOO, a Chinese government-backed attacker also known as APT41, that targeted a Taiwanese media organization by sending phishing emails that contained links to a password protected file hosted in Drive,” explained the Google Threat Horizons report.
“The payload was an open source red teaming tool called “Google Command and Control” (GC2).”
Google says that APT41 also used GC2 in attacks against an Italian job search website in July 2022.
Using the agent, Google says that the threat actors attempted to deploy additional payloads on the device and exfiltrate data to Google Drive, as illustrated in the attack workflow below.
While it is not known what malware was distributed in these attacks, APT41 is known to deploy a wide variety of malware on compromised systems.
A 2019 Mandiant report explains that the threat actors utilize rootkits, bootkits, custom malware, backdoors, Point of Sale malware, and even ransomware in an isolated incident.
The threat actors have also been known to deploy the Winnti malware and the China Chopper web shell, tools commonly used by Chinese hacking groups, and Cobalt Strike for persistence in compromised networks.
In 2020, the Department of Justice indicted three Chinese nationals believed to be part of APT41 for conducting supply chain attacks [CCleaner, ShadowPad, ShadowHammer], data theft, and breaches against countries worldwide.
BleepingComputer contacted Google to learn more about the payloads they saw in these attacks, but a response was not immediately available.
A shift to legitimate tools
APT41’s use of GC2 is another indicator of a trend of threat actors moving to legitimate red teaming tools and RMM platforms as part of their attacks.
While the use of Cobalt Strike in attacks has been widespread for years, it has also led to significant investments into detecting it in attacks, making it more easily spotted by defenders.
Due to this, threat actors have started to shift to other red teaming tools, such as Brute Ratel and Sliver, to evade detection during their attacks.
More recently, ransomware gangs have begun abusing the Action1 remote monitoring and management (RMM) tool for persistence on compromised networks and to execute commands, scripts, and binaries.
Unfortunately, as with any tool that can help red teamers conduct exercises or for admins to manage a network remotely, they can equally be abused by threat actors in their own attacks.