Hackers have used all sorts of unusual command and control (C2) paths over the years to exfiltrate data or control malware once they’ve hit a target – think queued print jobs, the Slack API, or other exotica.
The latest to that list is Google Calendar, with a China-based threat group tracked as APT41 seen by Google Threat Intelligence Group’s (GTIG) encrypting stolen data – then hiding it in Calendar event descriptions.
That’s a technique earlier seen proposed in 2023’s Google Calendar RAT POC. GTIG has now shown that the approach is being used in the wild by PT41, which is deploying a malware payload dubbed TOUGHPROGRESS.
The same group has previously used Google Sheets and Google Drive for C2. More recently it has alsobeen seen using Cloudflare Worker subdomains for distributing malware, Google’s threat intel team said.
Per Google’s write-up:
TOUGHPROGRESS has the capability to read and write events with an attacker-controlled Google Calendar. Once executed, TOUGHPROGRESS creates a zero minute Calendar event at a hardcoded date, 2023-05-30, with data collected from the compromised host being encrypted and written in the Calendar event description.
The operator places encrypted commands in Calendar events on 2023-07-30 and 2023-07-31, which are predetermined dates also hardcoded into the malware. TOUGHPROGRESS then begins polling Calendar for these events. When an event is retrieved, the event description is decrypted and the command it contains is executed on the compromised host. Results from the command execution are encrypted and written back to another Calendar event.
Working with Mandiant’s Flare team, Google decrypted the C2 encryption protocol the malware uses; a hardcoded 10-byte XOR key that generates a per-message 4-byte XOR key. (A $75 billion annual capex budget buys you a lot of raw compute to break encryption; smart people too, of course…)
It has a more detailed report with IOCs and Yara rules here.
The link has been copied!
