The Google calendar was being used by a group of hackers as a communication channel, which is to extract sensitive information from individuals according to the Google Danger Intelligence Group (GTIG). The Cyber Safety Division of Tech Giant discovered an agreement with an agreement in October 2024 and found that the malware was spreading using it. Once the malware infects a device, it will create a backdoor using the Google calendar and allow the operator to extract data. GTIG has already taken calendar accounts and other systems that were being used by hackers.
Command and Control (C2) Google calendar used by Hackers associated with China for channel
GTIG detailed Distribution method of malwareHow it works, and measures taken by Google’s team to protect users and its product. The hacker associated with this attack is called APT41, also known as a hoodoo, a danger group is believed to be associated with the Chinese government.
An investigation by GTIG revealed that APT41 used a javelin phishing method to give malware to the goals. Spear phishing is a target form of fishing where attackers personalize emails to specific individuals.
These emails had a link to a zip collection which was hosted on the government’s website. When an unheard person opened the collection, it showed a shortcut LNK file (.LNK), which was disguised to look like PDF, as well as a folder.
Overview of how malware works
Photo Credit: GTIG
This folder had seven JPG images of arthropods (insects, spiders, etc.). GTIG highlighted that the sixth and seventh entries, however, have decoys that actually have an encrypted payload and an dynamic link library (DLL) file that decryplines the payload.
When the target clicks on the LNK file, it triggers both files. Interestingly, the LNK file also automatically removes itself and is replaced with a fake PDF, which is shown to the user. This file mentions that species shown need to be declared for export, to mask the hacking effort and avoid increasing doubt.
Once the malware has infected a device, it operates in three different stages, where each step performs a function in sequence. GTIG stated that all three sequences are executed using various stealth techniques to avoid detection.
The first stage decips and runs a DLL file called Plusdrop directly in memory. The second phase begins a valid Windows process and processes the process hollow – a technique used by the attackers to run malicious codes under the guise of a valid procedure – to inject the final payload.
The final payload, tuffyprogress, executes malicious tasks on the device and communicates with the attacker through the Google calendar. It uses a cloud-based app as a communication channel through Command and Control (C2) technology.
The malware adds a zero-minint calendar event to a hardcoded date (30 May, 2023), which stores encrypted data from the computer compromised in the details of the event.
It also creates two other incidents on hardcoded dates (30 and 31, 2023), which gives the attacker a back door to communicate with malware. Turdprogress regularly scans the calendar for these two events.
When the attacker sends an encrypted command, he decipses it and executes the command. Then, it sends the results back by creating another zero-minute phenomenon with encrypted output.
To disrupt the malware campaign, GTIG created APT41’s Google calendar accounts identified and removed custom detection methods. The team also discontinued the attacking Google workspace projects, making the infrastructure used in the operation effectively disabled.
Additionally, the tech giants also updated their malware detection system and blocked malicious domains and URLs using Google safe browsing.
GTIG has also informed the affected outfits, and provided them with details about the actor of the network traffic and the actor of the danger, which is to help in finding, probe and response efforts.
