Google Calendar was being used as a communication channel by a group of hackers to extract sensitive information from individuals, according to the google intelligence group (GTIG). The tech giant’s cybersecurity division discovered a Compromised government website in october 2024 and found that malware was being using using it. Once the malware infected a device, it would create a backdoor using Google Calendar and Allow the operator to extract data. GTIG HAS ALAREADY TAKEN DOWN Down the Calendar Accounts And Other Systems that was being used by the hackers.google calendar used by China-Linked Hackers for Command and Control Method of the malware, how it functioned, and the measures taken by google’s team to protect users and its product. The hacker associateed with this attack is said to be Apt41, also know as hoodoo, a threat group believed to be linked to the chinese government.Aan innvestigation. Method to Deliver Malware to targets. Spear Phishing is a Targeted Form of Phishing Where Attackers Personalise Emails to Specific Individuals. These emails contained a link to a zip archive that was hosted on the compromised government website. When an unsuspecting person opened the archive, it showed a shortcut lnk file (.lnk), which was disguised to appear like a pdf, as well as a folder. GTIG This Folder Contained Seven Jpg Images of Arthropods (Insects, Spiders, etc.). GTIG highlighted that the Sixth and Seventh Entries, However, Are Decoys that Actually contain an encrypted payload and a dynamic link library (dll) file that decrypts the payload. When the target clicks the lnk file, it triggers both files. Interestingly, the lnk file also also automatically deletes its and is replaced with a fake pdf, which is shown to the user. This file mentions that the speech shown need to be declared for expenses, likely to mask the hacking attempt and to avoid raising suspicion.Onecation. Stages, where Each Stage Carries out a Task in Sequence. GTIG highlighted that all three sequences are Executed Using Various Stealth Techniques to Avoid Detection. The first stage decrypts and runs a dll file named plusdrop directly in memory. The second stage launches a legitimate windows process and performs process hollowing – a technique used by attackers to run malicious code under the guise of a legitimate procedure Final payload.The final payload, toughprogress, Executes Malicious Tasks on the Device and Communications with the Attacker via Google Calendar. It uses the cloud-based app as a communication channel via command and control (C2) Technique. The Malware Adds A Zero-Minute Calendar Event on a Hardcoded Date (May 30, 2023), which stores encrypted data from the Compromised Computer in the Event’s Descripter Field.IT ALSO CERAREATES FILOLD Events on Hardcoded Dates (July 30 and 31, 2023), which gives the attacker a backdoor to communicate with the malware. Toughprogress regularly scans the calendar for these two events. When the attacker sends an encrypted command, it decrypts it and executes the command. Then, it sends back the result by creating another zero-minute event with the encrypted output.to disrupt the malware campaign, gtig created custom detection methods that Identify and removie APT419 Google Calendar Accounts. The team also shut down the attacker-contracted google workpace projects, effectively disabled the infrastructure that was used in the operation. Additionally, the tech giant also updated its malware detection systems and blocked the malicious domains and urls using google safe browsing.gtigs With samples of the malware’s network traffic and details about the threat actor to help with detection, investigation, and response efforts. 6
