According to Google’s Risk Intelligence Group (GTIG), a group of hackers was being used as a communications channel by a group of hackers. The Tech Dev’s CyberScript Division discovered a compromised official website in October 2024 and found that malware was spreading using it. Once the malware affects a device, it will make a backdoor using a Google calendar and allow the operator to extract data. GTIG has already taken down calendar accounts and other systems that were using hackers.
Google calendar is used for command and control (C2) channel connected to China
The GTIG detailed the Taken measures to protect consumers and its products through the Google team, how it worked, and the Google team. It is said that the hacker associated with the attack is said to be about APT41, also known as Hoodo, a danger group that is believed to be linked to the Chinese government.
The GTIG investigation revealed that APT41 used spare phishing method to bring Malware to targets. Spare phishing is a targeted form of phishing, where invaders personalize emails to specific people.
These emails were a Zip archive link hosted on a compromised official website. When an uncertain person opened the saved documents, he showed a shortcut LN file (.lnk), which appeared like a PDF as a folder appeared.
Malware’s working review
Photo Credit: GTIG
The folder contained seven JPG images of arthropids (insects, spiders, etc.). The GTIG highlights that the sixth and seventh entries, however, are Dico, which actually contains a encrypted payload and a dynamic link library (DL) file that detects payloads.
When the target clicks on the LNK file, it triggers both files. Interestingly, the LN’s file automatically deletes itself and is replaced with a fake PDF, which is shown to the user. This file states that species need to be announced for export, it is likely to masked hacking efforts and avoiding suspicion.
Once the malware affected a device, it runs in three different stages, where at each stage there is a work in order. The GTIG highlights that all three series are implemented using various stealth techniques to avoid detection.
In the first phase, directly operates and operates a DLL file called Plus drop in memory. In the second phase, a legitimate Windows process begins and operates to hollow the process – a technique that is used by invaders to operate malicious code under the guise of a legitimate process – to injection the final payload.
Final load, strict programs perform malicious tasks on the device and talks with the attacker through a Google Calendar. It uses a cloud -based app as a Command and Control (C2) technique as a communication channel.
The malware has added a zero -minute calendar event to the tough coded date (May 30, 2023), which stores the encrypted data from a compromised computer in the event description field.
It also creates two other incidents on hard -coded dates (30 and 31 July, 2023), which provides the attacker with a backdoor to communicate with malware. Strict development scans the calendar regularly for these two events.
When the attacker sends an encrypted command, he decrees it and executes the command. After that, it sends back the result by creating another zero -minute event with the encrypted output.
To disrupt the malware campaign, GTIG developed custom detection methods that identify and remove the Google calendar accounts of APT41. The team also shut down the assailant’s Google Work space projects, and effectively disabled the infrastructure that was used in the operation.
In addition, Tech Dev also updated his malware detection system and blocked malicious domains and URL using Google Safe browsing.
The GTIG has also notified the affected organizations, and provided them with details of malware network traffic samples and risk actor to help them detect, investigate and respond.
