- Google has found Chinese pirates abusing Google calendar
- The service was used to accommodate malicious instructions and to exfiltrate the results
- The Durprogress campaign was led by Chinese pirates sponsored by the state Apt41
Chinese pirates sponsored by the state known as Apt41 have been seen abusing the Google calendar in their latest attacks, using it within the framework of the C2 infrastructure.
The Google threat Intelligence Group (TIG) recently discovered technique, dismantled configuration and introduces changes to prevent similar attacks in the future.
The attack begins from a previously compromised government website – TIG did not explain how the site was compromised, but said it was used to host a .zip archive. This archive is then shared, via phishing emails, with potential targets.
Read the calendar
Inside the zip are three files: a DLL and executable files pretending to be JPG, and a Windows shortcut file (NK) pretending to be a PDF document.
When the victim tries to open the false PDF, he executed the shortcut which, in turn, activates the DLL.
This file, in turn, deciphers and launches the third file, which is the malicious payload nicknamed “Durprogress”.
Malware then reads additional instructions shared in two specific events in the Google calendar. Orders are either in the description field or hidden events.
To share the results, malicious software would create a new zero minute calendar event on May 30 and share the data, encrypted, in the description of the calendar event.
Since malware is never really installed on disc, and as C2 communication occurs via a legitimate Google service, most security products will find it difficult to spot the attack, suggests Google.
To combat the threat, TIG has developed personalized detection signatures to identify and block malware from APT41. He also shot down associated workspace accounts and calendar entries. In addition, the team has updated file detections and added malicious areas and URLs to the Google Safe navigation block list.
Google also confirmed that at least a few companies were targeted: “In partnership with Mandiant Consulting, GTIG informed compromise organizations,” he said.
“We have provided notified organizations with a sample of Dersprogress network traffic newspapers and information on the threat actor, to help detection and response to incidents.”
He did not say how many companies have been affected.
Via Bleeping Compompute
