Google Shuts Down Malware That Leveraged Google Calendar to Steal Data

Google Calendar was getting used as a communication channel by a bunch of hackers to extract delicate info from people, in accordance to the Google Threat Intelligence Group (GTIG). The tech large’s cybersecurity division found a compromised authorities web site in October 2024 and located that malware was being unfold utilizing it. Once the malware contaminated a tool, it could create a backdoor utilizing Google Calendar and permit the operator to extract knowledge. GTIG has already taken down the calendar accounts and different techniques that have been being utilized by the hackers.

Google Calendar Used By China-Linked Hackers for Command and Control (C2) Channel

GTIG detailed the supply technique of the malware, the way it functioned, and the measures taken by Google’s crew to defend customers and its product. The hacker related to this assault is claimed to be APT41, also called HOODOO, a risk group believed to be linked to the Chinese authorities.

An investigation by GTIG revealed that APT41 used a spear phishing technique to ship malware to targets. Spear phishing is a focused type of phishing the place attackers personalise emails to particular people. 

These emails contained a hyperlink to a ZIP archive that was hosted on the compromised authorities web site. When an unsuspecting individual opened the archive, it confirmed a shortcut LNK file (.lnk), which was disguised to seem like a PDF, in addition to a folder.

Overview of how the malware functioned
Photo Credit: GTIG

This folder contained seven JPG photos of arthropods (bugs, spiders, and many others.). GTIG highlighted that the sixth and seventh entries, nevertheless, are decoys that really include an encrypted payload and a dynamic hyperlink library (DLL) file that decrypts the payload. 

When the goal clicks the LNK file, it triggers each recordsdata. Interestingly, the LNK file additionally robotically deletes itself and is changed with a pretend PDF, which is proven to the consumer. This file mentions that the species proven want to be declared for export, doubtless to masks the hacking try and to keep away from elevating suspicion.

Once the malware has contaminated a tool, it operates in three completely different phases, the place every stage carries out a job in sequence. GTIG highlighted that each one three sequences are executed utilizing numerous stealth strategies to keep away from detection. 

The first stage decrypts and runs a DLL file named PLUSDROP instantly in reminiscence. The second stage launches a legit Windows course of and performs course of hollowing — a method utilized by attackers to run malicious code below the guise of a legit course of — to inject the ultimate payload.

The remaining payload, TOUGHPROGRESS, executes malicious duties on the gadget and communicates with the attacker through Google Calendar. It makes use of the cloud-based app as a communication channel through command and management (C2) approach. 

The malware provides a zero-minute calendar occasion on a hardcoded date (May 30, 2023), which shops encrypted knowledge from the compromised laptop within the occasion’s description subject.

It additionally creates two different occasions on hardcoded dates (July 30 and 31, 2023), which provides the attacker a backdoor to talk with the malware. TOUGHPROGRESS usually scans the calendar for these two occasions. 

When the attacker sends an encrypted command, it decrypts it and executes the command. Then, it sends again the end result by creating one other zero-minute occasion with the encrypted output.

To disrupt the malware marketing campaign, GTIG created customized detection strategies that establish and take away APT41’s Google Calendar accounts. The crew additionally shut down the attacker-controlled Google Workspace initiatives, successfully disabling the infrastructure that was used within the operation. 

Additionally, the tech large additionally up to date its malware detection techniques and blocked the malicious domains and URLs utilizing Google Safe Browsing.

GTIG has additionally notified affected organisations, and supplied them with samples of the malware’s community visitors and particulars concerning the risk actor to assist with detection, investigation, and response efforts.