Apt41 Deploys Toughprogress Malware Via Government Website & Google Calendar C2

Researchers uncovered an advanced cyber campaign by APT41 (also known as HOODOO), a state-sponsored threat group linked to the People’s Republic of China (PRC). The campaign utilized a compromised government website to deliver TOUGHPROGRESS malware that exploited Google Calendar for Command-and-Control (C2), demonstrating a sophisticated misuse of cloud services to evade detection. The campaign targeted government institutions and major industries across multiple regions, leveraging obfuscated multi-stage malware and encrypted communications.

Severity Level: High

THREAT OVERVIEW:

1. Threat Actor Attribution: APT41 (HOODOO)
   • APT41 is a well-documented cyber espionage and financially motivated group operating under the interests of the People’s Republic of China (PRC). Their activities span both state-sponsored espionage and profit-driven operations. APT41 is known for its versatility, operational discipline, and creative use of cloud-based infrastructure for stealthy communications.
   • This campaign is consistent with APT41’s past activities, including previous malware like VOLDEMORT and DUSTTRAP, which similarly abused public cloud services. Notably, the threat group’s recent campaigns have used platforms such as Google Drive, Sheets, and now Calendar as part of their malware infrastructure.
2. Attack Flow
   • The attack begins with spear phishing emails sent to targeted government and private sector entities. These emails contain a malicious ZIP file hosted on a compromised government domain. Within this ZIP is an LNK file disguised as a PDF and a directory containing what appear to be image files.
   • When a victim clicks the LNK file, it triggers an execution chain involving several malicious components:
     • “6.jpg” is actually an encrypted binary payload.
     • “7.jpg” is a DLL responsible for decrypting and loading the encrypted payload into memory.
     • The execution results in the deployment of PLUSDROP, a loader that decrypts and launches the next stage.
     • PLUSINJECT is then injected into a legitimate Windows process (svchost.exe) using process hollowing.
     • Finally, TOUGHPROGRESS, the main payload, is launched to conduct post-exploitation tasks and establish C2.
   • The malware is engineered with multiple layers of obfuscation and evasion techniques, including: Control flow obfuscation, Indirect function calls using register-based addressing, 64-bit arithmetic overflow techniques and In-memory execution using XOR encryption and LZNT1 compression.
   • Cloudflare Workers, InfinityFree, and TryCloudflare were utilized as malware hosting platforms in other concurrent campaigns.
3. TOUGHPROGRESS Malware and Google Calendar C2
   • TOUGHPROGRESS is particularly notable for its abuse of Google Calendar as its command-and-control platform. Once deployed, it creates zero-minute Calendar events at specific hardcoded dates (e.g., May 30, 2023), and embeds encrypted data collected from the host in the event description field.
   • Subsequent commands from the threat actor are delivered via Calendar events scheduled for other hardcoded dates (e.g., July 30–31, 2023).
   • The malware polls for these events, decrypts their contents, and executes the received commands on the compromised machine. Results are then re-encrypted and posted back to the attacker-controlled calendar using a similar mechanism.
   • This innovative method of “living off the cloud” allows the malware to bypass traditional network security appliances and avoid triggering anomalies in common threat detection systems.
4. Affected Regions and Sectors
   • Based on telemetry and victimology patterns, the targets of this campaign span multiple continents, with observed activity in: North America, Europe, East and Southeast Asia
   • The targeted sectors include: Government and Public Sector, Technology, Global Shipping and Logistics, Media and Entertainment and Automotive Manufacturing.

Recommendations:

1. Train users to identify spear phishing, especially emails with suspicious attachments (ZIPs, LNKs disguised as PDFs).
2. Emphasize ZIP archive risks: especially those with non-standard names or containing shortcut files (e.g., .lnk masquerading as .pdf).
3. Disable LNK file execution via Group Policy or registry modifications on email and collaboration app contexts.
4. Use application allowlisting (e.g., Windows Defender Application Control) to prevent unapproved DLLs or LNKs from launching.
5. Monitor for process behaviors such as:
   svchost.exe spawned by unusual parent processes
   Memory injections using VirtualAlloc and CreateThread
6. Restrict automation features in collaboration platforms like Google Workspace (e.g., auto event creation APIs, third-party script executions).
7. Restrict API access to calendar services, especially write access from unknown origins.
8. Log and audit OAuth tokens and Calendar API usage—malware used Calendar for polling and exfiltration.
   Block the IOCs at their respective controls.
   https://www.virustotal.com/gui/collection/c7685a6530a4badef05c7c9217ef8942d3fc2bda36bf63d6744f7e3a1272c3a0/iocs

Source:

• https://www.bleepingcomputer.com/news/security/apt41-malware-abuses-google-calendar-for-stealthy-c2-communication/
  https://cloud.google.com/blog/topics/threat-intelligence/apt41-innovative-tactics

Enjoyed reading this Threat Intelligence Advisory? Stay updated with our latest exclusive content by following us on Twitter and LinkedIn

No related posts found.