Threat actors linked to the Chinese state-sponsored group widely known as APT41 have been observed employing a novel and stealthy technique for managing their infected systems. Instead of relying on traditional, easily detectable infrastructure, they are leveraging legitimate web services, specifically Google Calendar, to establish command and control (C2) communications for their TOUGHPROGRESS malware.
This sophisticated approach allows APT41 to blend their malicious traffic with legitimate network activity, making it significantly harder for security teams to detect and block. The TOUGHPROGRESS malware, once installed on a victim’s computer, uses the seemingly innocuous Google Calendar API to receive instructions.
Here’s how the technique reportedly works: the malware is hardcoded with specific Google account credentials or a shared calendar ID. It then regularly queries this calendar for updates. APT41 operators can add events to this shared calendar containing hidden or encoded commands within the event details or location fields. The malware retrieves these event details, decodes the commands, and executes them on the compromised system. The type of commands can vary, ranging from uploading stolen data, downloading additional malicious tools, or maintaining persistence on the network.
Using Google Calendar as a C2 channel offers several advantages for APT41. Firstly, it utilizes standard HTTPS traffic directed towards a trusted domain (google.com), which is rarely blocked by firewalls or intrusion detection systems. Secondly, the volume of legitimate traffic to Google Calendar is enormous, effectively hiding the smaller volume of malicious C2 communications within the noise. Thirdly, setting up and managing communication through a widely available web service like Google Calendar is relatively simple and low-cost for the attackers.
This tactic highlights the evolving landscape of cybersecurity threats. Threat actors are continuously adapting their methods to evade detection, moving away from easily identifiable malicious infrastructure towards abusing legitimate cloud services. This makes traditional network-based detection mechanisms less effective and puts more pressure on endpoint security and behavioral analysis.
For organizations, this discovery underscores the importance of comprehensive security strategies. Monitoring network traffic alone is insufficient. It is crucial to implement strong endpoint detection and response (EDR) solutions that can identify suspicious process behavior and communication patterns, even when using legitimate services. Furthermore, understanding the tactics, techniques, and procedures (TTPs) used by sophisticated groups like APT41 is vital for developing effective defenses.
The use of legitimate services for malicious purposes is a growing trend. By adapting their C2 infrastructure to blend in with everyday internet traffic, APT41 demonstrates a high level of operational security and a commitment to staying ahead of defensive measures. Staying vigilant and implementing layered security controls are essential to protect against such advanced cyber threats.
Source: https://securityaffairs.com/178424/apt/china-linked-apt41-used-google-calendar-as-c2-to-control-its-toughprogress-malware.html
